amadey | a6ee6130d83bbe55e9dacdff2005950d69fc2d3c54e28467b82c148e274d90da

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	00dbc74e3561adf15cb078b0b5f96860.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	00dbc74e3561adf15cb078b0b5f96860.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	00dbc74e3561adf15cb078b0b5f96860.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe = "C:\\Users\\Admin\\Desktop\\00dbc74e3561adf15cb078b0b5f96860.exe:*:enabled:@shell32.dll,-1"	00dbc74e3561adf15cb078b0b5f96860.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\b9801980\jusched.exe = "C:\\Program Files (x86)\\b9801980\\jusched.exe:*:Enabled:edaJ2aUa3tpv"	002097d6949872781cfe00fbc4c9fe83.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\b9801980\jusched.exe = "C:\\Program Files (x86)\\b9801980\\jusched.exe:*:Enabled:edaJ2aUa3tpv"	002097d6949872781cfe00fbc4c9fe83.exe

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/1000-4220-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 1 IoCs

flow	pid	Process
99	5548	chrome.exe

Drops file in Drivers directory 16 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	exe.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	002097d6949872781cfe00fbc4c9fe83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	002097d6949872781cfe00fbc4c9fe83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	0da5b00e8e941ac4be29830e6040cb5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	rgbux.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDD89.tmp	84c82835a5d21bbcf75a61706d8ab549.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDD90.tmp	84c82835a5d21bbcf75a61706d8ab549.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
6024	7z2409-x64.exe
5052	7zFM.exe
1032	7zG.exe
1468	0141d6e9b3db978d2cdc5883072f3cd9 (6).exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
632	0cae2144249cca11917ce26657fc0281.exe
3844	0da5b00e8e941ac4be29830e6040cb5f.exe
5804	0e99a12527e6d154684e298b3ad1c95f.exe
2132	0d83a54f6bb735aa81496e24932f448c.exe
3364	tynbuc.exe
1732	0141d6e9b3db978d2cdc5883072f3cd9 (6).exe
864	002097d6949872781cfe00fbc4c9fe83.exe
4944	002097d6949872781cfe00fbc4c9fe83.exe
1736	jusched.exe
3040	jusched.exe
5936	c26f08592df7db1c611c558c02bac3d9.exe
1988	c26f08592df7db1c611c558c02bac3d9.exe
4628	c26f08592df7db1c611c558c02bac3d9.exe
4704	c26f08592df7db1c611c558c02bac3d9.exe
2548	c26f08592df7db1c611c558c02bac3d9.exe
5336	c26f08592df7db1c611c558c02bac3d9.exe
5828	c26f08592df7db1c611c558c02bac3d9.exe
1684	bedc75141877b5e6ef16af9853041860.exe
5440	bedc75141877b5e6ef16af9853041860.exe
5300	bedc75141877b5e6ef16af9853041860.exe
212	84c82835a5d21bbcf75a61706d8ab549.exe
5932	84c82835a5d21bbcf75a61706d8ab549.exe
5456	84c82835a5d21bbcf75a61706d8ab549.exe
3484	taskdl.exe
1780	@[email protected]
3648	@[email protected]
4876	taskhsvc.exe
3720	taskdl.exe
4436	taskse.exe
4148	@[email protected]
404	@[email protected]
3572	taskdl.exe
4280	taskse.exe
2508	@[email protected]
5684	taskse.exe
3296	taskdl.exe
5280	@[email protected]
1728	0e99a12527e6d154684e298b3ad1c95f.exe
2640	0e99a12527e6d154684e298b3ad1c95f.exe
4476	0e99a12527e6d154684e298b3ad1c95f.exe
2132	0e99a12527e6d154684e298b3ad1c95f.exe
5032	0da5b00e8e941ac4be29830e6040cb5f.exe
1184	rgbux.exe
4764	0d83a54f6bb735aa81496e24932f448c.exe
4336	0cae2144249cca11917ce26657fc0281.exe
1252	taskse.exe
3556	@[email protected]
1392	taskdl.exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
3976	eeeeee.exe
5044	eeeeee.exe
5572	eeeeee.exe
5480	eeeeee.exe
5256	eeeeee.exe
1272	eeeeee.exe
4964	eeeeee.exe
3440	eeeeee.exe
5888	eeeeee.exe
4004	eeeeee.exe

Loads dropped DLL 12 IoCs

pid	Process
3416	Explorer.EXE
3416	Explorer.EXE
1032	7zG.exe
5052	7zFM.exe
4876	taskhsvc.exe
4876	taskhsvc.exe
4876	taskhsvc.exe
4876	taskhsvc.exe
4876	taskhsvc.exe
4876	taskhsvc.exe
4876	taskhsvc.exe
4876	taskhsvc.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4372	icacls.exe
6136	icacls.exe
5356	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syxbcyyxjv923 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\Desktop/exe.exe"	exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-814918696-1585701690-3140955116-1000\desktop.ini	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-814918696-1585701690-3140955116-1000\desktop.ini	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-814918696-1585701690-3140955116-1000\desktop.ini	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-814918696-1585701690-3140955116-1000\desktop.ini	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\$Recycle.Bin\S-1-5-21-814918696-1585701690-3140955116-1000\desktop.ini	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\$Recycle.Bin\S-1-5-21-814918696-1585701690-3140955116-1000\desktop.ini	bedc75141877b5e6ef16af9853041860.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\J:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\O:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\P:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\W:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\Z:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\G:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\I:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\N:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\Q:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\R:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\X:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\E:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\H:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\L:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\M:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\S:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\V:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\Y:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\K:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\T:	00dbc74e3561adf15cb078b0b5f96860.exe
File opened (read-only)	\??\U:	00dbc74e3561adf15cb078b0b5f96860.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
543	iplogger.org
563	iplogger.org
577	iplogger.org
578	iplogger.org
597	iplogger.org
648	iplogger.org
772	iplogger.org
846	iplogger.org
310	iplogger.org
312	iplogger.org
667	iplogger.org
695	iplogger.org
954	iplogger.org
1003	iplogger.org
1024	iplogger.org
1079	iplogger.org
376	iplogger.org
657	iplogger.org
876	iplogger.org
927	iplogger.org
1058	iplogger.org
1060	iplogger.org
1094	iplogger.org
1248	iplogger.org
859	iplogger.org
966	iplogger.org
987	iplogger.org
1103	iplogger.org
1154	iplogger.org
1180	iplogger.org
1244	iplogger.org
1266	iplogger.org
220	iplogger.org
849	iplogger.org
1045	iplogger.org
1143	iplogger.org
1204	iplogger.org
1211	iplogger.org
1281	iplogger.org
1298	iplogger.org
893	iplogger.org
915	iplogger.org
923	iplogger.org
990	iplogger.org
1055	iplogger.org
1273	iplogger.org
580	iplogger.org
627	iplogger.org
713	iplogger.org
791	iplogger.org
855	iplogger.org
918	iplogger.org
1081	iplogger.org
1259	iplogger.org
208	iplogger.org
305	iplogger.org
459	iplogger.org
517	iplogger.org
550	iplogger.org
1039	iplogger.org
1085	iplogger.org
1149	iplogger.org
581	iplogger.org
699	iplogger.org

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
878	checkip.dyndns.org
882	freegeoip.app
883	freegeoip.app
907	freegeoip.app
919	freegeoip.app
926	freegeoip.app

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tynbuc.exe	0cae2144249cca11917ce26657fc0281.exe
File opened for modification	C:\Windows\SysWOW64\tynbuc.exe	0cae2144249cca11917ce26657fc0281.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	84c82835a5d21bbcf75a61706d8ab549.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 1000	2640	0e99a12527e6d154684e298b3ad1c95f.exe	296
PID 1728 set thread context of 5448	1728	0e99a12527e6d154684e298b3ad1c95f.exe	309
PID 4476 set thread context of 3708	4476	0e99a12527e6d154684e298b3ad1c95f.exe	311
PID 2132 set thread context of 2624	2132	0e99a12527e6d154684e298b3ad1c95f.exe	314

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sw.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	exe.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\tk.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\zh-tw.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mng.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\en.ttt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe	exe.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	exe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2409-x64.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\et.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\7-Zip\7zFM.exe	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ext.txt	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	exe.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sv.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\dicjp.bin	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	bedc75141877b5e6ef16af9853041860.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	exe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	exe.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\el.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mr.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2409-x64.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\cy.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	exe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2409-x64.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\en.ttt	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\nl.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ja.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\br.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	exe.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mng2.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sq.txt	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	bedc75141877b5e6ef16af9853041860.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\pl.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\zh-tw.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\License.txt	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	bedc75141877b5e6ef16af9853041860.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\kab.txt	bedc75141877b5e6ef16af9853041860.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\2477832400.pri	LogonUI.exe
File created	C:\Windows\Tasks\2tdU3eap.job	002097d6949872781cfe00fbc4c9fe83.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4924	3844	WerFault.exe	171
2624	5804	WerFault.exe	172
3936	5440	WerFault.exe	201
5432	3648	WerFault.exe	230
4928	3648	WerFault.exe	230
3852	1000	WerFault.exe	296
5708	3708	WerFault.exe	311
1252	5448	WerFault.exe	309
6032	2624	WerFault.exe	314

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bedc75141877b5e6ef16af9853041860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	002097d6949872781cfe00fbc4c9fe83.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bedc75141877b5e6ef16af9853041860.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84c82835a5d21bbcf75a61706d8ab549.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoClicker-3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cae2144249cca11917ce26657fc0281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tynbuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeeeee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d83a54f6bb735aa81496e24932f448c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84c82835a5d21bbcf75a61706d8ab549.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e99a12527e6d154684e298b3ad1c95f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0da5b00e8e941ac4be29830e6040cb5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884087966610068"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "185"	LogonUI.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\♣愀蠀\ = "wnry_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\wnry_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\wnry_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\.wnry\ = "wnry_auto_file"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\wnry_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\wnry_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\.wnry	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\♣愀蠀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\\ = "wnry_auto_file"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\wnry_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
3144	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
4860	chrome.exe
4860	chrome.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
3364	tynbuc.exe
3364	tynbuc.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe
4880	taskmgr.exe
1284	00dbc74e3561adf15cb078b0b5f96860.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2140	AutoClicker-3.1.exe
5052	7zFM.exe
4148	@[email protected]

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe
632	0cae2144249cca11917ce26657fc0281.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe
Token: SeShutdownPrivilege	824	chrome.exe
Token: SeCreatePagefilePrivilege	824	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
1032	7zG.exe
5052	7zFM.exe
5052	7zFM.exe
5052	7zFM.exe
5052	7zFM.exe
5052	7zFM.exe
5052	7zFM.exe
824	chrome.exe
5052	7zFM.exe
5052	7zFM.exe
5052	7zFM.exe
5052	7zFM.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
824	chrome.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe
4880	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1780	@[email protected]
1780	@[email protected]
3648	@[email protected]
3648	@[email protected]
4148	@[email protected]
4148	@[email protected]
404	@[email protected]
2508	@[email protected]
5280	@[email protected]
3556	@[email protected]
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
5176	0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
4956	@[email protected]
4472	OpenWith.exe
4472	OpenWith.exe
4472	OpenWith.exe
4472	OpenWith.exe
4472	OpenWith.exe
4472	OpenWith.exe
4472	OpenWith.exe
4632	firefox.exe
4632	firefox.exe
4632	firefox.exe
4632	firefox.exe
5136	@[email protected]
6452	@[email protected]
6540	@[email protected]
7116	@[email protected]
6860	exe.exe
6860	exe.exe
6740	exe.exe
6740	exe.exe
796	exe.exe
796	exe.exe
1724	exe.exe
1724	exe.exe
1260	exe.exe
1260	exe.exe
3024	exe.exe
3024	exe.exe
6040	exe.exe
6040	exe.exe
1280	exe.exe
1280	exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 5632	824	chrome.exe	98
PID 824 wrote to memory of 5632	824	chrome.exe	98
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 5548	824	chrome.exe	100
PID 824 wrote to memory of 5548	824	chrome.exe	100
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 548	824	chrome.exe	99
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101
PID 824 wrote to memory of 4980	824	chrome.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6104	attrib.exe
2068	attrib.exe
2924	attrib.exe
4900	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:776
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x4 /state0:0xa387f055 /state1:0x41c64e6d
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3508

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3084
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3832
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3928
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4044
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:724
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3944
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3300
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:3360
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:5864
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:4076
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:2292
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
  2⤵
  PID:3460
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2052
- C:\Windows\system32\OpenWith.exe
  C:\Windows\system32\OpenWith.exe -Embedding
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\msg\m_polish.wnry"
    3⤵
    PID:4448
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\msg\m_polish.wnry
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4632
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2576 -prefsLen 24591 -prefMapHandle 2580 -prefMapSize 268500 -ipcHandle 2644 -initialChannelId {136f512b-270e-45dd-b0b1-5241a04fe234} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        5⤵
        
        PID:1348
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2928 -prefsLen 24591 -prefMapHandle 2932 -prefMapSize 268500 -ipcHandle 2864 -initialChannelId {553ecca5-9c75-457f-801f-67e75f6dd2f1} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        5⤵
        Checks processor information in registry
        
        PID:5280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2084 -prefsLen 24795 -prefMapHandle 1776 -prefMapSize 268500 -jsInitHandle 1804 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1924 -initialChannelId {e94c83c6-e52c-4e35-b72f-828dde51fb51} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        5⤵
        Checks processor information in registry
        
        PID:5184
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3900 -prefsLen 25758 -prefMapHandle 3904 -prefMapSize 268500 -ipcHandle 3912 -initialChannelId {6d75ff6f-d8a1-417c-9090-eeb661b1ff9e} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        5⤵
        
        PID:4860
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4120 -prefsLen 25907 -prefMapHandle 4124 -prefMapSize 268500 -jsInitHandle 4128 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4136 -initialChannelId {52dca00c-d916-40b8-9e59-2865862533f3} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        5⤵
        Checks processor information in registry
        
        PID:3024
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4276 -prefsLen 26125 -prefMapHandle 4272 -prefMapSize 268500 -jsInitHandle 4268 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4256 -initialChannelId {1cdbc7d1-a79b-4028-9e90-27598042296c} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 tab
        5⤵
        Checks processor information in registry
        
        PID:5124
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4160 -prefsLen 36421 -prefMapHandle 3772 -prefMapSize 268500 -ipcHandle 3760 -initialChannelId {2be3281e-eedd-4a35-80a1-1a1b0d3f5d72} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 utility
        5⤵
        Checks processor information in registry
        
        PID:6584
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5312 -prefsLen 34413 -prefMapHandle 5316 -prefMapSize 268500 -jsInitHandle 5320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5328 -initialChannelId {c2185725-fc73-4759-a006-90c8f1224c6b} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        5⤵
        Checks processor information in registry
        
        PID:6612
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5568 -prefsLen 34537 -prefMapHandle 5572 -prefMapSize 268500 -jsInitHandle 5576 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5588 -initialChannelId {134dc17d-a6dd-4944-a6e8-15485f08b90d} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        5⤵
        Checks processor information in registry
        
        PID:6664
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5760 -prefsLen 34537 -prefMapHandle 5764 -prefMapSize 268500 -jsInitHandle 5768 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5532 -initialChannelId {a089bb4f-75e4-4d7e-9922-16255354e4b1} -parentPid 4632 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4632" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
        5⤵
        Checks processor information in registry
        
        PID:6696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1228
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
  C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
  C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
  2⤵
  PID:6600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1460
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1488

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2792

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2896

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
PID:3416
- C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\AutoClicker-3.1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeeda9dcf8,0x7ffeeda9dd04,0x7ffeeda9dd10
    3⤵
    PID:5632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2152,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Downloads MZ/PE file
    PID:5548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2392 /prefetch:8
    3⤵
    PID:4980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:2116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4360,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4396 /prefetch:2
    3⤵
    PID:428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4704,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    PID:3744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5388,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5404 /prefetch:8
    3⤵
    PID:5768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5488 /prefetch:8
    3⤵
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5400,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5684 /prefetch:8
    3⤵
    PID:3672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5544,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5568 /prefetch:8
    3⤵
    PID:3940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5880,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5752 /prefetch:8
    3⤵
    PID:404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5688,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5748 /prefetch:1
    3⤵
    PID:4260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3380,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6024,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6040 /prefetch:1
    3⤵
    PID:5596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5684,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5900 /prefetch:1
    3⤵
    PID:5752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6332,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6360 /prefetch:8
    3⤵
    PID:1528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6396,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6472 /prefetch:1
    3⤵
    PID:5276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6092,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6132 /prefetch:1
    3⤵
    PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3104,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3268 /prefetch:8
    3⤵
    PID:5544
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6108,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3304 /prefetch:8
    3⤵
    PID:5860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6096,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:8
    3⤵
    PID:4920
- - C:\Users\Admin\Downloads\7z2409-x64.exe
    "C:\Users\Admin\Downloads\7z2409-x64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:6024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4488,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6496 /prefetch:2
    3⤵
    PID:536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3208,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4412 /prefetch:8
    3⤵
    PID:2416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6600,i,9816226156045926451,9252557833768755559,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6184 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4860
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:5052
- - C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap11246:72:7zEvent10147 -ad -saa -- "C:\infected_2"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:1032
- C:\Users\Admin\Desktop\0141d6e9b3db978d2cdc5883072f3cd9 (6).exe
  "C:\Users\Admin\Desktop\0141d6e9b3db978d2cdc5883072f3cd9 (6).exe"
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe
  "C:\Users\Admin\Desktop\00dbc74e3561adf15cb078b0b5f96860.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Users\Admin\Desktop\0cae2144249cca11917ce26657fc0281.exe
  "C:\Users\Admin\Desktop\0cae2144249cca11917ce26657fc0281.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:632
- C:\Users\Admin\Desktop\0d83a54f6bb735aa81496e24932f448c.exe
  "C:\Users\Admin\Desktop\0d83a54f6bb735aa81496e24932f448c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Users\Admin\Desktop\0da5b00e8e941ac4be29830e6040cb5f.exe
  "C:\Users\Admin\Desktop\0da5b00e8e941ac4be29830e6040cb5f.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 528
    3⤵
    - Program crash
    PID:4924
- C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
  "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 1188
    3⤵
    - Program crash
    PID:2624
- C:\Users\Admin\Desktop\0141d6e9b3db978d2cdc5883072f3cd9 (6).exe
  "C:\Users\Admin\Desktop\0141d6e9b3db978d2cdc5883072f3cd9 (6).exe"
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Users\Admin\Desktop\002097d6949872781cfe00fbc4c9fe83.exe
  "C:\Users\Admin\Desktop\002097d6949872781cfe00fbc4c9fe83.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:864
- - C:\Program Files (x86)\b9801980\jusched.exe
    "C:\Program Files (x86)\b9801980\jusched.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3040
- C:\Users\Admin\Desktop\002097d6949872781cfe00fbc4c9fe83.exe
  "C:\Users\Admin\Desktop\002097d6949872781cfe00fbc4c9fe83.exe"
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Executes dropped EXE
  PID:4944
- - C:\Program Files (x86)\b9801980\jusched.exe
    "C:\Program Files (x86)\b9801980\jusched.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:5936
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:5336
- C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe
  "C:\Users\Admin\Desktop\c26f08592df7db1c611c558c02bac3d9.exe"
  2⤵
  - Executes dropped EXE
  PID:5828
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4880
- C:\Users\Admin\Desktop\bedc75141877b5e6ef16af9853041860.exe
  "C:\Users\Admin\Desktop\bedc75141877b5e6ef16af9853041860.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Users\Admin\Desktop\bedc75141877b5e6ef16af9853041860.exe
  "C:\Users\Admin\Desktop\bedc75141877b5e6ef16af9853041860.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:5440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 488
    3⤵
    - Program crash
    PID:3936
- C:\Users\Admin\Desktop\bedc75141877b5e6ef16af9853041860.exe
  "C:\Users\Admin\Desktop\bedc75141877b5e6ef16af9853041860.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5300
- C:\Users\Admin\Desktop\84c82835a5d21bbcf75a61706d8ab549.exe
  "C:\Users\Admin\Desktop\84c82835a5d21bbcf75a61706d8ab549.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:212
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:6104
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 93701743935600.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4900
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1780
  - - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
  - - C:\Users\Admin\Desktop\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3648
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:5728
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:3492
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 248
        5⤵
        Program crash
        
        PID:5432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 452
        5⤵
        Program crash
        
        PID:4928
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3720
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4436
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "syxbcyyxjv923" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5880
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "syxbcyyxjv923" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3144
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    PID:3572
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:4280
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2508
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5684
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3296
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5280
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - Executes dropped EXE
    PID:1252
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3556
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4956
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:2408
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5136
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5184
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6448
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6452
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:5020
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    PID:7108
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:7116
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6940
- C:\Users\Admin\Desktop\84c82835a5d21bbcf75a61706d8ab549.exe
  "C:\Users\Admin\Desktop\84c82835a5d21bbcf75a61706d8ab549.exe"
  2⤵
  - Executes dropped EXE
  PID:5932
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2068
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6136
- C:\Users\Admin\Desktop\84c82835a5d21bbcf75a61706d8ab549.exe
  "C:\Users\Admin\Desktop\84c82835a5d21bbcf75a61706d8ab549.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5456
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2924
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\tasksche.exe"
  2⤵
  PID:4468
- C:\Users\Public\Desktop\@[email protected]
  "C:\Users\Public\Desktop\@[email protected]"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:404
- C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
  "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1728
- - C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
    "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 1780
      4⤵
      Program crash
      PID:1252
- C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
  "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2640
- - C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
    "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1000
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1752
      4⤵
      Program crash
      PID:3852
- C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
  "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4476
- - C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
    "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
    3⤵
    PID:4352
- - C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
    "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1772
      4⤵
      Program crash
      PID:5708
- C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
  "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2132
- - C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe
    "C:\Users\Admin\Desktop\0e99a12527e6d154684e298b3ad1c95f.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1784
      4⤵
      Program crash
      PID:6032
- C:\Users\Admin\Desktop\0da5b00e8e941ac4be29830e6040cb5f.exe
  "C:\Users\Admin\Desktop\0da5b00e8e941ac4be29830e6040cb5f.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
    "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
      4⤵
      System Location Discovery: System Language Discovery
      PID:400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rgbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3432
- C:\Users\Admin\Desktop\0d83a54f6bb735aa81496e24932f448c.exe
  "C:\Users\Admin\Desktop\0d83a54f6bb735aa81496e24932f448c.exe"
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Users\Admin\Desktop\0cae2144249cca11917ce26657fc0281.exe
  "C:\Users\Admin\Desktop\0cae2144249cca11917ce26657fc0281.exe"
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Users\Admin\Desktop\0141d6e9b3db978d2cdc5883072f3cd9 (2).exe
  "C:\Users\Admin\Desktop\0141d6e9b3db978d2cdc5883072f3cd9 (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5176
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3976
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:5572
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:5480
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:5256
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:5888
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  PID:2396
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  PID:4812
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  PID:2752
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  PID:2508
- C:\Users\Admin\Desktop\eeeeee.exe
  "C:\Users\Admin\Desktop\eeeeee.exe"
  2⤵
  PID:4280
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:1572
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:3368
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:6012
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:4080
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:6116
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:5984
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:5720
- C:\Users\Admin\Desktop\didlo.exe
  "C:\Users\Admin\Desktop\didlo.exe"
  2⤵
  PID:2384
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\msg\m_polish.wnry"
  2⤵
  PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\msg\m_polish.wnry
    3⤵
    - Checks processor information in registry
    PID:5592
- C:\Users\Public\Desktop\@[email protected]
  "C:\Users\Public\Desktop\@[email protected]"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6540
- C:\Users\Admin\Desktop\exe.exe
  "C:\Users\Admin\Desktop\exe.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:6712
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:6768
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5928
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:2728
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:1260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5512
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5792
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:6040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5896
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5956
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:6524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:6032
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5996
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:5356
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:1596
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:4688
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:3200
- - C:\Users\Admin\Desktop\exe.exe
    C:\Users\Admin\Desktop/exe.exe
    3⤵
    - Drops file in Drivers directory
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop/exe.exe
  2⤵
  PID:6408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3656

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5676

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1444
- C:\Windows\system32\dashost.exe
  dashost.exe {925b4882-af89-4dbd-8a2babfdf5e53666}
  2⤵
  PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4052

C:\Windows\SysWOW64\tynbuc.exe
C:\Windows\SysWOW64\tynbuc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3844 -ip 3844
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5804 -ip 5804
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5440 -ip 5440
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3648 -ip 3648
1⤵
PID:1188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3648 -ip 3648
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1000 -ip 1000
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3708 -ip 3708
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5448 -ip 5448
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2624 -ip 2624
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery