asyncrat | 390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Modify Existing Service

T1031

Processes:

explorer.exea599quq1595ek_1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	a599quq1595ek_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a599quq1595ek_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	a599quq1595ek_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	a599quq1595ek_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath regedit.exe
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\ImagePath	regedit.exe

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral31/memory/512-112-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral31/memory/512-113-0x000000000040C76E-mapping.dmp	asyncrat
behavioral31/memory/4972-516-0x000000000040C76E-mapping.dmp	asyncrat

ModiLoader First Stage 2 IoCs

Processes:

resource	yara_rule
behavioral31/memory/3900-171-0x0000000002A60000-0x0000000002ABC000-memory.dmp	modiloader_stage1
behavioral31/memory/4476-534-0x00000000041C0000-0x000000000421C000-memory.dmp	modiloader_stage1

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Executes dropped EXE 31 IoCs

Processes:

a599quq1595ek_1.exea599quq1595ek_1.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exemc1wc5757.exeWxzzZNQHI3.execLK6vDADey.exeUrXJ4xouC3.exeZSZAUJV5RA.exeWxzzZNQHI3.exeUrXJ4xouC3.exeZSZAUJV5RA.exempmheacv.exeazchgftrq.exemc1wc5757.exemc1wc5757.exebEAuR4J6Mp.exeoGMCJJj985.exelbZoNDahtD.exer4smJnFUj3.exebEAuR4J6Mp.exelbZoNDahtD.exer4smJnFUj3.exeozchgftrq.exeazchgftrq.exeozchgftrq.exeynxywetm.exe

pid	process
3636	a599quq1595ek_1.exe
2604	a599quq1595ek_1.exe
1256	a7eo39ywgs5.exe
3784	FGbfttrev.exe
2192	FDvbcgfert.exe
3940	a7eo39ywgs5.exe
1892	FGbfttrev.exe
188	FDvbcgfert.exe
2936	mc1wc5757.exe
3192	WxzzZNQHI3.exe
3900	cLK6vDADey.exe
992	UrXJ4xouC3.exe
644	ZSZAUJV5RA.exe
512	WxzzZNQHI3.exe
1548	UrXJ4xouC3.exe
2520	ZSZAUJV5RA.exe
1236	mpmheacv.exe
1012	azchgftrq.exe
2764	mc1wc5757.exe
360	mc1wc5757.exe
4876	bEAuR4J6Mp.exe
4476	oGMCJJj985.exe
4532	lbZoNDahtD.exe
5084	r4smJnFUj3.exe
4972	bEAuR4J6Mp.exe
3700	lbZoNDahtD.exe
4176	r4smJnFUj3.exe
4956	ozchgftrq.exe
4208	azchgftrq.exe
4528	ozchgftrq.exe
2132	ynxywetm.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Loads dropped DLL 13 IoCs

Processes:

FDvbcgfert.exea7eo39ywgs5.exemc1wc5757.exeozchgftrq.exe

pid	process
188	FDvbcgfert.exe
188	FDvbcgfert.exe
188	FDvbcgfert.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
360	mc1wc5757.exe
4528	ozchgftrq.exe
4528	ozchgftrq.exe
4528	ozchgftrq.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

ZSZAUJV5RA.exer4smJnFUj3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ZSZAUJV5RA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ZSZAUJV5RA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r4smJnFUj3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

explorer.exemc1wc5757.execLK6vDADey.exeregedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	mc1wc5757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	mc1wc5757.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	mc1wc5757.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zsle = "C:\\Users\\Admin\\AppData\\Local\\elsZ.url"	cLK6vDADey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	mc1wc5757.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 5.0 = "\"C:\\ProgramData\\Google Updater 5.0\\a599quq1595ek.exe\""	regedit.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

a599quq1595ek_1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	a599quq1595ek_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	a599quq1595ek_1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

a599quq1595ek_1.exea7eo39ywgs5.exemc1wc5757.exeou55sg33s_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a599quq1595ek_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a7eo39ywgs5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mc1wc5757.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ou55sg33s_1.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

explorer.exea7eo39ywgs5.exemc1wc5757.exe

description	ioc	process
File opened for modification	C:\ProgramData\Google Updater 5.0\desktop.ini	explorer.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	a7eo39ywgs5.exe
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	mc1wc5757.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

mc1wc5757.exea7eo39ywgs5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	mc1wc5757.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	a7eo39ywgs5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	a7eo39ywgs5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	mc1wc5757.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 27 IoCs

Processes:

ou55sg33s_1.exeexplorer.exea599quq1595ek_1.exea7eo39ywgs5.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exemc1wc5757.exe

pid	process
4004	ou55sg33s_1.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
2604	a599quq1595ek_1.exe
1256	a7eo39ywgs5.exe
1256	a7eo39ywgs5.exe
1256	a7eo39ywgs5.exe
1256	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
3940	a7eo39ywgs5.exe
1892	FGbfttrev.exe
1892	FGbfttrev.exe
188	FDvbcgfert.exe
188	FDvbcgfert.exe
2936	mc1wc5757.exe
2936	mc1wc5757.exe
2936	mc1wc5757.exe
2936	mc1wc5757.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

ou55sg33s_1.exea599quq1595ek_1.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exeWxzzZNQHI3.exeUrXJ4xouC3.exeZSZAUJV5RA.exemc1wc5757.exebEAuR4J6Mp.exelbZoNDahtD.exer4smJnFUj3.exeazchgftrq.execLK6vDADey.exeozchgftrq.exe

description	pid	process	target process
PID 1212 set thread context of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 3636 set thread context of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 1256 set thread context of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 3784 set thread context of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 2192 set thread context of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 3192 set thread context of 512	3192	WxzzZNQHI3.exe	WxzzZNQHI3.exe
PID 992 set thread context of 1548	992	UrXJ4xouC3.exe	UrXJ4xouC3.exe
PID 644 set thread context of 2520	644	ZSZAUJV5RA.exe	ZSZAUJV5RA.exe
PID 2936 set thread context of 360	2936	mc1wc5757.exe	mc1wc5757.exe
PID 4876 set thread context of 4972	4876	bEAuR4J6Mp.exe	bEAuR4J6Mp.exe
PID 4532 set thread context of 3700	4532	lbZoNDahtD.exe	lbZoNDahtD.exe
PID 5084 set thread context of 4176	5084	r4smJnFUj3.exe	r4smJnFUj3.exe
PID 1012 set thread context of 4208	1012	azchgftrq.exe	azchgftrq.exe
PID 3900 set thread context of 1888	3900	cLK6vDADey.exe	ieinstal.exe
PID 4956 set thread context of 4528	4956	ozchgftrq.exe	ozchgftrq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

a599quq1595ek_1.exeFDvbcgfert.exeozchgftrq.exeou55sg33s_1.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a599quq1595ek_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a599quq1595ek_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FDvbcgfert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ozchgftrq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ou55sg33s_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ou55sg33s_1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2324 timeout.exe
4856 timeout.exe

pid	process
2324	timeout.exe
4856	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1676 taskkill.exe
2244 taskkill.exe
5012 taskkill.exe
3108 taskkill.exe

pid	process
1676	taskkill.exe
2244	taskkill.exe
5012	taskkill.exe
3108	taskkill.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

Processes:

explorer.exeregedit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	regedit.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4520 reg.exe
1940 reg.exe
5000 reg.exe

pid	process
4520	reg.exe
1940	reg.exe
5000	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

cLK6vDADey.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cLK6vDADey.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cLK6vDADey.exe

NTFS ADS 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe:150EFC68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe:150EFC68	explorer.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

1224 regedit.exe

pid	process
1224	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exeUrXJ4xouC3.exe

pid	process
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
4084	explorer.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

ou55sg33s_1.exea599quq1595ek_1.exeexplorer.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exe

pid	process
4004	ou55sg33s_1.exe
4004	ou55sg33s_1.exe
2604	a599quq1595ek_1.exe
2604	a599quq1595ek_1.exe
4084	explorer.exe
1256	a7eo39ywgs5.exe
3784	FGbfttrev.exe
2192	FDvbcgfert.exe
4084	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

ou55sg33s_1.exe

pid process

4004 ou55sg33s_1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ou55sg33s_1.exeexplorer.exea599quq1595ek_1.exeregedit.exetaskkill.exeWxzzZNQHI3.exeUrXJ4xouC3.exeUrXJ4xouC3.exe

description	pid	process
Token: SeDebugPrivilege	4004	ou55sg33s_1.exe
Token: SeRestorePrivilege	4004	ou55sg33s_1.exe
Token: SeBackupPrivilege	4004	ou55sg33s_1.exe
Token: SeLoadDriverPrivilege	4004	ou55sg33s_1.exe
Token: SeCreatePagefilePrivilege	4004	ou55sg33s_1.exe
Token: SeShutdownPrivilege	4004	ou55sg33s_1.exe
Token: SeTakeOwnershipPrivilege	4004	ou55sg33s_1.exe
Token: SeChangeNotifyPrivilege	4004	ou55sg33s_1.exe
Token: SeCreateTokenPrivilege	4004	ou55sg33s_1.exe
Token: SeMachineAccountPrivilege	4004	ou55sg33s_1.exe
Token: SeSecurityPrivilege	4004	ou55sg33s_1.exe
Token: SeAssignPrimaryTokenPrivilege	4004	ou55sg33s_1.exe
Token: SeCreateGlobalPrivilege	4004	ou55sg33s_1.exe
Token: 33	4004	ou55sg33s_1.exe
Token: SeDebugPrivilege	4084	explorer.exe
Token: SeRestorePrivilege	4084	explorer.exe
Token: SeBackupPrivilege	4084	explorer.exe
Token: SeLoadDriverPrivilege	4084	explorer.exe
Token: SeCreatePagefilePrivilege	4084	explorer.exe
Token: SeShutdownPrivilege	4084	explorer.exe
Token: SeTakeOwnershipPrivilege	4084	explorer.exe
Token: SeChangeNotifyPrivilege	4084	explorer.exe
Token: SeCreateTokenPrivilege	4084	explorer.exe
Token: SeMachineAccountPrivilege	4084	explorer.exe
Token: SeSecurityPrivilege	4084	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4084	explorer.exe
Token: SeCreateGlobalPrivilege	4084	explorer.exe
Token: 33	4084	explorer.exe
Token: SeDebugPrivilege	2604	a599quq1595ek_1.exe
Token: SeRestorePrivilege	2604	a599quq1595ek_1.exe
Token: SeBackupPrivilege	2604	a599quq1595ek_1.exe
Token: SeLoadDriverPrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeShutdownPrivilege	2604	a599quq1595ek_1.exe
Token: SeTakeOwnershipPrivilege	2604	a599quq1595ek_1.exe
Token: SeChangeNotifyPrivilege	2604	a599quq1595ek_1.exe
Token: SeCreateTokenPrivilege	2604	a599quq1595ek_1.exe
Token: SeMachineAccountPrivilege	2604	a599quq1595ek_1.exe
Token: SeSecurityPrivilege	2604	a599quq1595ek_1.exe
Token: SeAssignPrimaryTokenPrivilege	2604	a599quq1595ek_1.exe
Token: SeCreateGlobalPrivilege	2604	a599quq1595ek_1.exe
Token: 33	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeCreatePagefilePrivilege	2604	a599quq1595ek_1.exe
Token: SeDebugPrivilege	1224	regedit.exe
Token: SeRestorePrivilege	1224	regedit.exe
Token: SeBackupPrivilege	1224	regedit.exe
Token: SeLoadDriverPrivilege	1224	regedit.exe
Token: SeCreatePagefilePrivilege	1224	regedit.exe
Token: SeShutdownPrivilege	1224	regedit.exe
Token: SeTakeOwnershipPrivilege	1224	regedit.exe
Token: SeChangeNotifyPrivilege	1224	regedit.exe
Token: SeCreateTokenPrivilege	1224	regedit.exe
Token: SeMachineAccountPrivilege	1224	regedit.exe
Token: SeSecurityPrivilege	1224	regedit.exe
Token: SeAssignPrimaryTokenPrivilege	1224	regedit.exe
Token: SeCreateGlobalPrivilege	1224	regedit.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	3192	WxzzZNQHI3.exe
Token: SeDebugPrivilege	992	UrXJ4xouC3.exe
Token: SeDebugPrivilege	1548	UrXJ4xouC3.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

a7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exeUrXJ4xouC3.exelbZoNDahtD.exe

pid process

1256 a7eo39ywgs5.exe
3784 FGbfttrev.exe
2192 FDvbcgfert.exe
1548 UrXJ4xouC3.exe
1548 UrXJ4xouC3.exe
3700 lbZoNDahtD.exe
3700 lbZoNDahtD.exe

pid	process
1256	a7eo39ywgs5.exe
3784	FGbfttrev.exe
2192	FDvbcgfert.exe
1548	UrXJ4xouC3.exe
1548	UrXJ4xouC3.exe
3700	lbZoNDahtD.exe
3700	lbZoNDahtD.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ou55sg33s_1.exeou55sg33s_1.exeexplorer.exea599quq1595ek_1.exea599quq1595ek_1.exea7eo39ywgs5.exeFGbfttrev.exeFDvbcgfert.exeFDvbcgfert.execmd.exea7eo39ywgs5.exe

description	pid	process	target process
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 1212 wrote to memory of 4004	1212	ou55sg33s_1.exe	ou55sg33s_1.exe
PID 4004 wrote to memory of 4084	4004	ou55sg33s_1.exe	explorer.exe
PID 4004 wrote to memory of 4084	4004	ou55sg33s_1.exe	explorer.exe
PID 4004 wrote to memory of 4084	4004	ou55sg33s_1.exe	explorer.exe
PID 4084 wrote to memory of 3636	4084	explorer.exe	a599quq1595ek_1.exe
PID 4084 wrote to memory of 3636	4084	explorer.exe	a599quq1595ek_1.exe
PID 4084 wrote to memory of 3636	4084	explorer.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 3636 wrote to memory of 2604	3636	a599quq1595ek_1.exe	a599quq1595ek_1.exe
PID 2604 wrote to memory of 1224	2604	a599quq1595ek_1.exe	regedit.exe
PID 2604 wrote to memory of 1224	2604	a599quq1595ek_1.exe	regedit.exe
PID 2604 wrote to memory of 1224	2604	a599quq1595ek_1.exe	regedit.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 4084 wrote to memory of 1256	4084	explorer.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3784	1256	a7eo39ywgs5.exe	FGbfttrev.exe
PID 1256 wrote to memory of 3784	1256	a7eo39ywgs5.exe	FGbfttrev.exe
PID 1256 wrote to memory of 3784	1256	a7eo39ywgs5.exe	FGbfttrev.exe
PID 1256 wrote to memory of 2192	1256	a7eo39ywgs5.exe	FDvbcgfert.exe
PID 1256 wrote to memory of 2192	1256	a7eo39ywgs5.exe	FDvbcgfert.exe
PID 1256 wrote to memory of 2192	1256	a7eo39ywgs5.exe	FDvbcgfert.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 1256 wrote to memory of 3940	1256	a7eo39ywgs5.exe	a7eo39ywgs5.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 3784 wrote to memory of 1892	3784	FGbfttrev.exe	FGbfttrev.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 2192 wrote to memory of 188	2192	FDvbcgfert.exe	FDvbcgfert.exe
PID 188 wrote to memory of 936	188	FDvbcgfert.exe	cmd.exe
PID 188 wrote to memory of 936	188	FDvbcgfert.exe	cmd.exe
PID 188 wrote to memory of 936	188	FDvbcgfert.exe	cmd.exe
PID 936 wrote to memory of 1676	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 1676	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 1676	936	cmd.exe	taskkill.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 4084 wrote to memory of 2936	4084	explorer.exe	mc1wc5757.exe
PID 3940 wrote to memory of 3192	3940	a7eo39ywgs5.exe	WxzzZNQHI3.exe
PID 3940 wrote to memory of 3192	3940	a7eo39ywgs5.exe	WxzzZNQHI3.exe
PID 3940 wrote to memory of 3192	3940	a7eo39ywgs5.exe	WxzzZNQHI3.exe
PID 3940 wrote to memory of 3900	3940	a7eo39ywgs5.exe	cLK6vDADey.exe
PID 3940 wrote to memory of 3900	3940	a7eo39ywgs5.exe	cLK6vDADey.exe
PID 3940 wrote to memory of 3900	3940	a7eo39ywgs5.exe	cLK6vDADey.exe
PID 3940 wrote to memory of 992	3940	a7eo39ywgs5.exe	UrXJ4xouC3.exe
PID 3940 wrote to memory of 992	3940	a7eo39ywgs5.exe	UrXJ4xouC3.exe
PID 3940 wrote to memory of 992	3940	a7eo39ywgs5.exe	UrXJ4xouC3.exe
PID 3940 wrote to memory of 644	3940	a7eo39ywgs5.exe	ZSZAUJV5RA.exe
PID 3940 wrote to memory of 644	3940	a7eo39ywgs5.exe	ZSZAUJV5RA.exe

C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe
"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe
"C:\Users\Admin\AppData\Local\Temp\ou55sg33s_1.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe
/suac
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe
"C:\Users\Admin\AppData\Local\Temp\a599quq1595ek_1.exe"
5⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\SysWOW64\regedit.exe"
6⤵
- Modifies security service
- Adds Run key to start application
- Modifies Internet Explorer settings
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe
"C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe
"C:\Users\Admin\AppData\Local\Temp\FGbfttrev.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1892

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe
"C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 188 & erase C:\Users\Admin\AppData\Local\Temp\FDvbcgfert.exe & RD /S /Q C:\\ProgramData\\628675879158083\\* & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 188
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe
"C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe
"C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe
"C:\Users\Admin\AppData\Local\Temp\WxzzZNQHI3.exe"
7⤵
- Executes dropped EXE
PID:512

C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe
"C:\Users\Admin\AppData\Local\Temp\cLK6vDADey.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:3900

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
7⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ZvOXjtso.bat" "
8⤵
PID:420

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
9⤵
- Modifies registry key
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "
9⤵
- Modifies registry key
PID:1940

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
9⤵
PID:4620

C:\Windows\SysWOW64\reg.exe
reg delete hkcu\Environment /v windir /f
9⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\ZvOXjtso.bat" "
8⤵
PID:4132

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
7⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe
"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe
"C:\Users\Admin\AppData\Local\Temp\UrXJ4xouC3.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\ia3j3zrx.inf
8⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe
"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:644

C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe
"C:\Users\Admin\AppData\Local\Temp\ZSZAUJV5RA.exe"
7⤵
- Executes dropped EXE
- Windows security modification
PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
8⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a7eo39ywgs5.exe"
6⤵
PID:3880

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:2324

C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe
"C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:2936

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1012

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4956

C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe
"{path}"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 4528 & erase C:\Users\Admin\AppData\Local\Temp\ozchgftrq.exe & RD /S /Q C:\\ProgramData\\090407618315232\\* & exit
8⤵
PID:4500

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 4528
9⤵
- Kills process with taskkill
PID:3108

C:\Users\Admin\AppData\Local\Temp\azchgftrq.exe
"{path}"
6⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe
"{path}"
5⤵
- Executes dropped EXE
PID:2764

C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe
"{path}"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
PID:360

C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe
"C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4876

C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe
"C:\Users\Admin\AppData\Local\Temp\bEAuR4J6Mp.exe"
7⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Temp\oGMCJJj985.exe
"C:\Users\Admin\AppData\Local\Temp\oGMCJJj985.exe"
6⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
7⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe
"C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4532

C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe
"C:\Users\Admin\AppData\Local\Temp\lbZoNDahtD.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3700

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\gqmczy35.inf
8⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe
"C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5084

C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe
"C:\Users\Admin\AppData\Local\Temp\r4smJnFUj3.exe"
7⤵
- Executes dropped EXE
- Windows security modification
PID:4176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
8⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\mc1wc5757.exe"
6⤵
PID:4436

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:4856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\mpmheacv.exe
2⤵
PID:2316

C:\Windows\temp\mpmheacv.exe
C:\Windows\temp\mpmheacv.exe
3⤵
- Executes dropped EXE
PID:1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
PID:1340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
PID:4784

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Windows\temp\ynxywetm.exe
2⤵
PID:4364

C:\Windows\temp\ynxywetm.exe
C:\Windows\temp\ynxywetm.exe
3⤵
- Executes dropped EXE
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
PID:4316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
PID:500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
PID:5344

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cmstp.exe /F
2⤵
- Kills process with taskkill
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Security Software Discovery

T1063

System Information Discovery