agenttesla | ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3140	netsh.exe
4864	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk	FB_E735.tmp.exe

Executes dropped EXE 50 IoCs

pid	Process
1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe
1896	.exe
2444	rape (2).exe
1124	(1).exe
5428	(2).exe
4108	rape (6).exe
5316	rape (13).exe
776	rape (5).exe
904	(6).exe
3908	rape (12).exe
2108	rape (11).exe
5480	(1).exe
2564	rape (11).exe
2268	(5).exe
1552	(6).exe
5984	rape (8).exe
2576	(4).exe
844	(3).exe
2472	rape (13).exe
5768	rape (7).exe
5324	(4).exe
1740	rape (17).exe
3620	rape (18).exe
1472	nitropdf.enterprise.pro.x64.13.xx-patch.exe
2300	AfraidDns_Async.exe
5068	(3).exe
1276	AfraidDns_Async.exe
5652	rape (8).exe
6816	(2).exe
7068	FB_E735.tmp.exe
7120	FB_E830.tmp.exe
1684	rape (7).exe
6128	rape (7).exe
3756	sergf.exe
2700	rape (5).exe
800	AsyncClient no setting.exe
6248	nitropdf.enterprise.pro.x64.13.xx-patch.exe
5588	nitropdf.enterprise.pro.x64.13.xx-patch.exe
2088	rape (12).exe
4528	AsyncClient no setting.exe
4000	(5).exe
4340	rape (5).exe
2368	rape (5).exe
4864	(4).exe
296	(3).exe
6256	(4).exe
6696	(4).exe
6684	(4).exe
2484	(3).exe
7084	rape (18).exe

Loads dropped DLL 3 IoCs

pid	Process
1472	nitropdf.enterprise.pro.x64.13.xx-patch.exe
6248	nitropdf.enterprise.pro.x64.13.xx-patch.exe
5588	nitropdf.enterprise.pro.x64.13.xx-patch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FB_E735.tmp.exe\" .."	FB_E735.tmp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5036	powershell.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	freegeoip.app
68	freegeoip.app
12	checkip.dyndns.org

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1896 set thread context of 1528	1896	.exe	90
PID 2444 set thread context of 708	2444	rape (2).exe	97
PID 1124 set thread context of 5480	1124	(1).exe	121
PID 5480 set thread context of 3216	5480	(1).exe	52
PID 904 set thread context of 1552	904	(6).exe	124
PID 5316 set thread context of 2472	5316	rape (13).exe	130
PID 2576 set thread context of 5324	2576	(4).exe	137
PID 5324 set thread context of 3216	5324	(4).exe	52
PID 4108 set thread context of 5908	4108	rape (6).exe	141
PID 5768 set thread context of 1556	5768	rape (7).exe	143
PID 1552 set thread context of 5512	1552	(6).exe	151
PID 844 set thread context of 5068	844	(3).exe	148
PID 5324 set thread context of 3216	5324	(4).exe	52
PID 1564 set thread context of 3216	1564	msiexec.exe	52
PID 1740 set thread context of 2660	1740	rape (17).exe	161
PID 5512 set thread context of 5576	5512	cvtres.exe	165
PID 5984 set thread context of 5652	5984	rape (8).exe	178
PID 1564 set thread context of 2760	1564	msiexec.exe	149
PID 5428 set thread context of 6816	5428	(2).exe	189
PID 4556 set thread context of 3216	4556	mstsc.exe	52
PID 1684 set thread context of 796	1684	rape (7).exe	198
PID 776 set thread context of 2700	776	rape (5).exe	202
PID 6128 set thread context of 308	6128	rape (7).exe	203
PID 3908 set thread context of 2088	3908	rape (12).exe	205
PID 800 set thread context of 4528	800	AsyncClient no setting.exe	210
PID 2268 set thread context of 4000	2268	(5).exe	212
PID 4556 set thread context of 2760	4556	mstsc.exe	149
PID 6256 set thread context of 6696	6256	(4).exe	227
PID 4864 set thread context of 6684	4864	(4).exe	228
PID 296 set thread context of 2484	296	(3).exe	230
PID 3620 set thread context of 7084	3620	rape (18).exe	231
PID 7084 set thread context of 3216	7084	rape (18).exe	52

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Nitro\Pro\13\NitroPDF.exe	nitropdf.enterprise.pro.x64.13.xx-patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4864	2564	WerFault.exe	127
6092	7120	WerFault.exe	195
400	3908	WerFault.exe	123
6940	4000	WerFault.exe	212
2076	4340	WerFault.exe	223
3900	2368	WerFault.exe	225

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(6).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (8).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (7).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (18).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (11).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfraidDns_Async.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient no setting.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (6).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AfraidDns_Async.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sergf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (13).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (13).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (8).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(5).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (17).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (7).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (18).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rape (7).exe

Checks SCSI registry key(s) 3 TTPs 25 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rape (5).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	rape (5).exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\Registry\User\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\NotificationData	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 5600310000000000515a70a9100057696e646f777300400009000400efbec5522d606c5a15ac2e000000a60500000000010000000000000000000000000000006e8e7800570069006e0064006f0077007300000016000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1408376509-1621642251-2666462513-1000\{6BFC87EA-112F-409B-82D3-BAF362384AC4}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5a003100000000006c5a0dac100053797374656d33320000420009000400efbec5522d606c5a15ac2e0000008f3600000000010000000000000000000000000000003f477200530079007300740065006d0033003200000018000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	nitropdf.enterprise.pro.x64.13.xx-patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004004c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5576	schtasks.exe
4908	schtasks.exe
6236	schtasks.exe
4680	schtasks.exe
3352	schtasks.exe
5636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	powershell.exe
3164	powershell.exe
4876	powershell.exe
4876	powershell.exe
5480	(1).exe
5480	(1).exe
5480	(1).exe
5480	(1).exe
5480	(1).exe
5480	(1).exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
2472	rape (13).exe
2472	rape (13).exe
2472	rape (13).exe
5324	(4).exe
5324	(4).exe
5324	(4).exe
5324	(4).exe
5324	(4).exe
5324	(4).exe
1552	(6).exe
1552	(6).exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
5324	(4).exe
5324	(4).exe
5324	(4).exe
5068	(3).exe
5068	(3).exe
5068	(3).exe
4556	mstsc.exe
4556	mstsc.exe
4556	mstsc.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
5652	rape (8).exe
5652	rape (8).exe
5652	rape (8).exe
4556	mstsc.exe
4556	mstsc.exe
4556	mstsc.exe
5576	cvtres.exe
5576	cvtres.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
7120	FB_E830.tmp.exe
7120	FB_E830.tmp.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
6696	(4).exe
6696	(4).exe
6696	(4).exe
6696	(4).exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3864	7zFM.exe
3216	Explorer.EXE

Suspicious behavior: MapViewOfSection 18 IoCs

pid	Process
5480	(1).exe
5480	(1).exe
5480	(1).exe
5324	(4).exe
1564	msiexec.exe
5324	(4).exe
1564	msiexec.exe
5324	(4).exe
5324	(4).exe
1564	msiexec.exe
1564	msiexec.exe
4556	mstsc.exe
4556	mstsc.exe
4556	mstsc.exe
4556	mstsc.exe
7084	rape (18).exe
7084	rape (18).exe
7084	rape (18).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3864	7zFM.exe
Token: 35	3864	7zFM.exe
Token: SeSecurityPrivilege	3864	7zFM.exe
Token: SeDebugPrivilege	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe
Token: SeDebugPrivilege	1896	.exe
Token: SeDebugPrivilege	2444	rape (2).exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1124	(1).exe
Token: SeDebugPrivilege	5428	(2).exe
Token: SeDebugPrivilege	4108	rape (6).exe
Token: SeDebugPrivilege	5316	rape (13).exe
Token: SeDebugPrivilege	776	rape (5).exe
Token: SeDebugPrivilege	904	(6).exe
Token: SeDebugPrivilege	3908	rape (12).exe
Token: SeDebugPrivilege	2108	rape (11).exe
Token: SeDebugPrivilege	5480	(1).exe
Token: SeDebugPrivilege	2564	rape (11).exe
Token: SeDebugPrivilege	2268	(5).exe
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeDebugPrivilege	5984	rape (8).exe
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeDebugPrivilege	2576	(4).exe
Token: SeDebugPrivilege	1564	msiexec.exe
Token: SeDebugPrivilege	844	(3).exe
Token: SeDebugPrivilege	2472	rape (13).exe
Token: SeDebugPrivilege	5768	rape (7).exe
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeDebugPrivilege	5324	(4).exe
Token: SeDebugPrivilege	1740	rape (17).exe
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeDebugPrivilege	1552	(6).exe
Token: SeDebugPrivilege	3620	rape (18).exe
Token: SeShutdownPrivilege	2760	explorer.exe
Token: SeCreatePagefilePrivilege	2760	explorer.exe
Token: SeShutdownPrivilege	2760	explorer.exe
Token: SeCreatePagefilePrivilege	2760	explorer.exe
Token: SeShutdownPrivilege	2760	explorer.exe
Token: SeCreatePagefilePrivilege	2760	explorer.exe
Token: SeDebugPrivilege	5512	cvtres.exe
Token: SeShutdownPrivilege	2760	explorer.exe
Token: SeCreatePagefilePrivilege	2760	explorer.exe
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeDebugPrivilege	5068	(3).exe
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE
Token: SeCreatePagefilePrivilege	3216	Explorer.EXE
Token: SeShutdownPrivilege	3216	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3864	7zFM.exe
3864	7zFM.exe
2308	WindowsTerminal.exe
2760	explorer.exe
2760	explorer.exe
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe
6544	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
3216	Explorer.EXE
2760	explorer.exe
2760	explorer.exe
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
2760	explorer.exe
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE
3216	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3992	OpenWith.exe
1992	OpenWith.exe
3536	OpenWith.exe
2308	WindowsTerminal.exe
4136	OpenWith.exe
664	StartMenuExperienceHost.exe
1472	nitropdf.enterprise.pro.x64.13.xx-patch.exe
3216	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1480 wrote to memory of 4676	1480	cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe	84
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 1896 wrote to memory of 1528	1896	.exe	90
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2444 wrote to memory of 708	2444	rape (2).exe	97
PID 2024 wrote to memory of 2308	2024	wt.exe	103
PID 2024 wrote to memory of 2308	2024	wt.exe	103
PID 2024 wrote to memory of 2308	2024	wt.exe	103
PID 2308 wrote to memory of 1488	2308	WindowsTerminal.exe	104
PID 2308 wrote to memory of 1488	2308	WindowsTerminal.exe	104
PID 2308 wrote to memory of 4256	2308	WindowsTerminal.exe	108
PID 2308 wrote to memory of 4256	2308	WindowsTerminal.exe	108
PID 2308 wrote to memory of 4256	2308	WindowsTerminal.exe	108
PID 2308 wrote to memory of 3164	2308	WindowsTerminal.exe	109
PID 2308 wrote to memory of 3164	2308	WindowsTerminal.exe	109
PID 2308 wrote to memory of 5148	2308	WindowsTerminal.exe	110
PID 2308 wrote to memory of 5148	2308	WindowsTerminal.exe	110
PID 2308 wrote to memory of 5148	2308	WindowsTerminal.exe	110
PID 2308 wrote to memory of 4876	2308	WindowsTerminal.exe	111
PID 2308 wrote to memory of 4876	2308	WindowsTerminal.exe	111
PID 2308 wrote to memory of 4304	2308	WindowsTerminal.exe	112
PID 2308 wrote to memory of 4304	2308	WindowsTerminal.exe	112
PID 2308 wrote to memory of 4304	2308	WindowsTerminal.exe	112
PID 2308 wrote to memory of 5856	2308	WindowsTerminal.exe	113
PID 2308 wrote to memory of 5856	2308	WindowsTerminal.exe	113
PID 1124 wrote to memory of 5480	1124	(1).exe	121
PID 1124 wrote to memory of 5480	1124	(1).exe	121
PID 1124 wrote to memory of 5480	1124	(1).exe	121
PID 1124 wrote to memory of 5480	1124	(1).exe	121
PID 1124 wrote to memory of 5480	1124	(1).exe	121
PID 1124 wrote to memory of 5480	1124	(1).exe	121
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 904 wrote to memory of 1552	904	(6).exe	124
PID 3216 wrote to memory of 1564	3216	Explorer.EXE	126
PID 3216 wrote to memory of 1564	3216	Explorer.EXE	126
PID 3216 wrote to memory of 1564	3216	Explorer.EXE	126
PID 3216 wrote to memory of 2564	3216	Explorer.EXE	127
PID 3216 wrote to memory of 2564	3216	Explorer.EXE	127
PID 3216 wrote to memory of 2564	3216	Explorer.EXE	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\bluestealer.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3864
- C:\Users\Admin\Desktop\cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe
  "C:\Users\Admin\Desktop\cd3b81fbf93281530341f8c8cd66cfdeb7b2f1ec04f6fbe68ddcc35d28200a1c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
- C:\Users\Admin\Desktop\.exe
  "C:\Users\Admin\Desktop\.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Users\Admin\Desktop\rape (2).exe
  "C:\Users\Admin\Desktop\rape (2).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:708
- C:\Users\Admin\Desktop\ (1).exe
  "C:\Users\Admin\Desktop\ (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\Desktop\ (1).exe
    "C:\Users\Admin\Desktop\ (1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:5480
- C:\Users\Admin\Desktop\ (2).exe
  "C:\Users\Admin\Desktop\ (2).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- - C:\Users\Admin\Desktop\ (2).exe
    "C:\Users\Admin\Desktop\ (2).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6816
  - - C:\Users\Admin\AppData\Local\Temp\FB_E735.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_E735.tmp.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      PID:7068
  - - C:\Users\Admin\AppData\Local\Temp\FB_E830.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_E830.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:7120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1920
        5⤵
        Program crash
        
        PID:6092
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Desktop\ (2).exe" "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6924
- C:\Users\Admin\Desktop\rape (6).exe
  "C:\Users\Admin\Desktop\rape (6).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5908
- C:\Users\Admin\Desktop\rape (13).exe
  "C:\Users\Admin\Desktop\rape (13).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- - C:\Users\Admin\Desktop\rape (13).exe
    "C:\Users\Admin\Desktop\rape (13).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- C:\Users\Admin\Desktop\rape (5).exe
  "C:\Users\Admin\Desktop\rape (5).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- - C:\Users\Admin\Desktop\rape (5).exe
    "C:\Users\Admin\Desktop\rape (5).exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:2700
- - C:\Users\Admin\Desktop\AsyncClient no setting.exe
    "C:\Users\Admin\Desktop\AsyncClient no setting.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:800
  - - C:\Users\Admin\Desktop\AsyncClient no setting.exe
      "C:\Users\Admin\Desktop\AsyncClient no setting.exe"
      4⤵
      Executes dropped EXE
      PID:4528
- C:\Users\Admin\Desktop\ (6).exe
  "C:\Users\Admin\Desktop\ (6).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\Desktop\ (6).exe
    "C:\Users\Admin\Desktop\ (6).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Enumerates connected drives
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5512
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5576
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:6236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" "C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Desktop\ (6).exe" "C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6028
- C:\Users\Admin\Desktop\rape (12).exe
  "C:\Users\Admin\Desktop\rape (12).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- - C:\Users\Admin\Desktop\rape (12).exe
    "C:\Users\Admin\Desktop\rape (12).exe"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1468
    3⤵
    - Program crash
    PID:400
- C:\Users\Admin\Desktop\rape (11).exe
  "C:\Users\Admin\Desktop\rape (11).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- - C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe
    "C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\win10\win10.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\win10\win10.exe'" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C copy "C:\Users\Admin\Desktop\rape (11).exe" "C:\Users\Admin\AppData\Local\Temp\win10\win10.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Desktop\ (1).exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5668
- C:\Users\Admin\Desktop\rape (11).exe
  "C:\Users\Admin\Desktop\rape (11).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe
    "C:\Users\Admin\AppData\Local\Temp\AfraidDns_Async.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1080
    3⤵
    - Program crash
    PID:4864
- C:\Users\Admin\Desktop\ (5).exe
  "C:\Users\Admin\Desktop\ (5).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- - C:\Users\Admin\Desktop\ (5).exe
    "C:\Users\Admin\Desktop\ (5).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 404
      4⤵
      Program crash
      PID:6940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Filemanager\Filemanager.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6892
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\Filemanager\Filemanager.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Desktop\ (5).exe" "C:\Users\Admin\AppData\Roaming\Filemanager\Filemanager.exe"
    3⤵
    PID:7112
- C:\Users\Admin\Desktop\rape (8).exe
  "C:\Users\Admin\Desktop\rape (8).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5984
- - C:\Users\Admin\Desktop\rape (8).exe
    "C:\Users\Admin\Desktop\rape (8).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5652
- C:\Users\Admin\Desktop\ (4).exe
  "C:\Users\Admin\Desktop\ (4).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- - C:\Users\Admin\Desktop\ (4).exe
    "C:\Users\Admin\Desktop\ (4).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
- C:\Users\Admin\Desktop\ (3).exe
  "C:\Users\Admin\Desktop\ (3).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- - C:\Users\Admin\Desktop\ (3).exe
    "C:\Users\Admin\Desktop\ (3).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Users\Admin\Desktop\rape (7).exe
  "C:\Users\Admin\Desktop\rape (7).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4864
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" "AppLaunch.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,vbs,bat,hta,lnk,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5036
- - C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe
    "C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:1472
- C:\Users\Admin\Desktop\rape (17).exe
  "C:\Users\Admin\Desktop\rape (17).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\Users\Admin\Desktop\rape (18).exe
  "C:\Users\Admin\Desktop\rape (18).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- - C:\Users\Admin\Desktop\rape (18).exe
    "C:\Users\Admin\Desktop\rape (18).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:7084
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Desktop\ (4).exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Users\Admin\Desktop\rape (7).exe
  "C:\Users\Admin\Desktop\rape (7).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe
    "C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:6248
- C:\Users\Admin\Desktop\rape (7).exe
  "C:\Users\Admin\Desktop\rape (7).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- - C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe
    "C:\Users\Admin\AppData\Local\Temp\nitropdf.enterprise.pro.x64.13.xx-patch.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5588
- C:\Users\Admin\Desktop\ (4).exe
  "C:\Users\Admin\Desktop\ (4).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Users\Admin\Desktop\ (4).exe
    "C:\Users\Admin\Desktop\ (4).exe"
    3⤵
    - Executes dropped EXE
    PID:6684
- C:\Users\Admin\Desktop\rape (5).exe
  "C:\Users\Admin\Desktop\rape (5).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4340
- - C:\Users\Admin\Desktop\rape (5).exe
    "C:\Users\Admin\Desktop\rape (5).exe"
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1444
    3⤵
    - Program crash
    PID:2076
- C:\Users\Admin\Desktop\ (3).exe
  "C:\Users\Admin\Desktop\ (3).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:296
- - C:\Users\Admin\Desktop\ (3).exe
    "C:\Users\Admin\Desktop\ (3).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2484
- C:\Users\Admin\Desktop\rape (5).exe
  "C:\Users\Admin\Desktop\rape (5).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2368
- - C:\Users\Admin\Desktop\rape (5).exe
    "C:\Users\Admin\Desktop\rape (5).exe"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1444
    3⤵
    - Program crash
    PID:3900
- C:\Users\Admin\Desktop\ (4).exe
  "C:\Users\Admin\Desktop\ (4).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6256
- - C:\Users\Admin\Desktop\ (4).exe
    "C:\Users\Admin\Desktop\ (4).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6696
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:6544
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Desktop\rape (18).exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Desktop\."
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:1488
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa1c --server 0xa18
    3⤵
    PID:4256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xb68 --server 0xb5c
    3⤵
    PID:5148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xc2c --server 0xc24
    3⤵
    PID:4304
- - C:\Windows\system32\cmd.exe
    cmd.exe
    3⤵
    PID:5856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2564 -ip 2564
1⤵
PID:1888

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7120 -ip 7120
1⤵
PID:4864

C:\Users\Admin\AppData\Roaming\sergf\sergf.exe
C:\Users\Admin\AppData\Roaming\sergf\sergf.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3756
- C:\Users\Admin\AppData\Roaming\sergf\sergf.exe
  "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"
  2⤵
  PID:6664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f
  2⤵
  PID:6668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\sergf\sergf.exe'" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe" "C:\Users\Admin\AppData\Roaming\sergf\sergf.exe"
  2⤵
  PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3908 -ip 3908
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4000 -ip 4000
1⤵
PID:6944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4340 -ip 4340
1⤵
PID:6184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2368 -ip 2368
1⤵
PID:6632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery