asyncrat | a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3

System Information Discovery

Processes:

4CAE.exeFineeest_.exe48E5.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4CAE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4CAE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fineeest_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48E5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48E5.exe

Deletes itself 1 IoCs

Processes:

pid	Process
1276

Loads dropped DLL 20 IoCs

Processes:

3E49.exe4EB1.exeAdvancedRun.exe573C.exe

pid	Process
1500	3E49.exe
1500	3E49.exe
1088	4EB1.exe
1088	4EB1.exe
108	AdvancedRun.exe
108	AdvancedRun.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
2044	573C.exe
2044	573C.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe
1500	3E49.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x00040000000130c2-84.dat	themida
behavioral1/memory/1344-88-0x0000000001080000-0x0000000001081000-memory.dmp	themida
behavioral1/files/0x00040000000130c3-90.dat	themida
behavioral1/memory/1060-97-0x0000000000F60000-0x0000000000F61000-memory.dmp	themida
behavioral1/files/0x000e000000012fc0-293.dat	themida

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

4EB1.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	4EB1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4EB1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	4EB1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	4EB1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4EB1.exe = "0"	4EB1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	4EB1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4EB1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	4EB1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

573C.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	573C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\services.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\services.exe\" -start"	573C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

48E5.exe4CAE.exe4EB1.exeFineeest_.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	48E5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4CAE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4EB1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4EB1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fineeest_.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

PryntVirus.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\c83ccdbaf7b1659662ea6a2a5474aded\Admin@QWOCTUPM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\c83ccdbaf7b1659662ea6a2a5474aded\Admin@QWOCTUPM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\c83ccdbaf7b1659662ea6a2a5474aded\Admin@QWOCTUPM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\c83ccdbaf7b1659662ea6a2a5474aded\Admin@QWOCTUPM_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\c83ccdbaf7b1659662ea6a2a5474aded\Admin@QWOCTUPM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

services.exe

description	ioc	Process
File opened (read-only)	\??\R:	services.exe
File opened (read-only)	\??\O:	services.exe
File opened (read-only)	\??\N:	services.exe
File opened (read-only)	\??\K:	services.exe
File opened (read-only)	\??\J:	services.exe
File opened (read-only)	\??\B:	services.exe
File opened (read-only)	\??\T:	services.exe
File opened (read-only)	\??\Y:	services.exe
File opened (read-only)	\??\X:	services.exe
File opened (read-only)	\??\U:	services.exe
File opened (read-only)	\??\Q:	services.exe
File opened (read-only)	\??\I:	services.exe
File opened (read-only)	\??\A:	services.exe
File opened (read-only)	\??\Z:	services.exe
File opened (read-only)	\??\M:	services.exe
File opened (read-only)	\??\L:	services.exe
File opened (read-only)	\??\H:	services.exe
File opened (read-only)	\??\W:	services.exe
File opened (read-only)	\??\S:	services.exe
File opened (read-only)	\??\P:	services.exe
File opened (read-only)	\??\G:	services.exe
File opened (read-only)	\??\F:	services.exe
File opened (read-only)	\??\E:	services.exe
File opened (read-only)	\??\V:	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

48E5.exe4CAE.exeFineeest_.exe

pid	Process
1344	48E5.exe
1060	4CAE.exe
2104	Fineeest_.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

b8f76d9cd83557379f3fe8b5dd080f9a.exe3E49.exe42EC.exe4EB1.exe

description	pid	Process	procid_target
PID 1924 set thread context of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1500 set thread context of 1728	1500	3E49.exe	34
PID 1652 set thread context of 1836	1652	42EC.exe	51
PID 1088 set thread context of 1648	1088	4EB1.exe	66
PID 1500 set thread context of 844	1500	3E49.exe	60
PID 1500 set thread context of 2388	1500	3E49.exe	70
PID 1500 set thread context of 1108	1500	3E49.exe	97
PID 1500 set thread context of 1980	1500	3E49.exe	106
PID 1500 set thread context of 2384	1500	3E49.exe	107
PID 1500 set thread context of 2400	1500	3E49.exe	108

Drops file in Program Files directory 64 IoCs

Processes:

services.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	services.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.change_2.10.0.v20140901-1043.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.ini	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Belgrade	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.payfast290.15D-F13-28E	services.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt.payfast290.15D-F13-28E	services.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar.payfast290.15D-F13-28E	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

b8f76d9cd83557379f3fe8b5dd080f9a.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8f76d9cd83557379f3fe8b5dd080f9a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8f76d9cd83557379f3fe8b5dd080f9a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b8f76d9cd83557379f3fe8b5dd080f9a.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
2916	vssadmin.exe
1960	vssadmin.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

573C.exeservices.exe42EC.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	573C.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	573C.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	573C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	42EC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	42EC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b8f76d9cd83557379f3fe8b5dd080f9a.exe

pid	Process
584	b8f76d9cd83557379f3fe8b5dd080f9a.exe
584	b8f76d9cd83557379f3fe8b5dd080f9a.exe
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
1276

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

b8f76d9cd83557379f3fe8b5dd080f9a.exe

pid	Process
584	b8f76d9cd83557379f3fe8b5dd080f9a.exe
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

42EC.exeAdvancedRun.exeAdvancedRun.exe4EB1.exepowershell.exepowershell.exe5096.exe4CAE.exe573C.exeaspnet_regsql.exe48E5.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeDebugPrivilege	1652	42EC.exe
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeDebugPrivilege	108	AdvancedRun.exe
Token: SeImpersonatePrivilege	108	AdvancedRun.exe
Token: SeDebugPrivilege	940	AdvancedRun.exe
Token: SeImpersonatePrivilege	940	AdvancedRun.exe
Token: SeDebugPrivilege	1088	4EB1.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1924	5096.exe
Token: SeDebugPrivilege	1060	4CAE.exe
Token: SeDebugPrivilege	2044	573C.exe
Token: SeDebugPrivilege	2044	573C.exe
Token: SeDebugPrivilege	1648	aspnet_regsql.exe
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeDebugPrivilege	1344	48E5.exe
Token: SeShutdownPrivilege	1276
Token: SeShutdownPrivilege	1276
Token: SeIncreaseQuotaPrivilege	2932	WMIC.exe
Token: SeSecurityPrivilege	2932	WMIC.exe
Token: SeTakeOwnershipPrivilege	2932	WMIC.exe
Token: SeLoadDriverPrivilege	2932	WMIC.exe
Token: SeSystemProfilePrivilege	2932	WMIC.exe
Token: SeSystemtimePrivilege	2932	WMIC.exe
Token: SeProfSingleProcessPrivilege	2932	WMIC.exe
Token: SeIncBasePriorityPrivilege	2932	WMIC.exe
Token: SeCreatePagefilePrivilege	2932	WMIC.exe
Token: SeBackupPrivilege	2932	WMIC.exe
Token: SeRestorePrivilege	2932	WMIC.exe
Token: SeShutdownPrivilege	2932	WMIC.exe
Token: SeDebugPrivilege	2932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2932	WMIC.exe
Token: SeRemoteShutdownPrivilege	2932	WMIC.exe
Token: SeUndockPrivilege	2932	WMIC.exe
Token: SeManageVolumePrivilege	2932	WMIC.exe
Token: 33	2932	WMIC.exe
Token: 34	2932	WMIC.exe
Token: 35	2932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2792	WMIC.exe
Token: SeSecurityPrivilege	2792	WMIC.exe
Token: SeTakeOwnershipPrivilege	2792	WMIC.exe
Token: SeLoadDriverPrivilege	2792	WMIC.exe
Token: SeSystemProfilePrivilege	2792	WMIC.exe
Token: SeSystemtimePrivilege	2792	WMIC.exe
Token: SeProfSingleProcessPrivilege	2792	WMIC.exe
Token: SeIncBasePriorityPrivilege	2792	WMIC.exe
Token: SeCreatePagefilePrivilege	2792	WMIC.exe
Token: SeBackupPrivilege	2792	WMIC.exe
Token: SeRestorePrivilege	2792	WMIC.exe
Token: SeShutdownPrivilege	2792	WMIC.exe
Token: SeDebugPrivilege	2792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2792	WMIC.exe
Token: SeRemoteShutdownPrivilege	2792	WMIC.exe
Token: SeUndockPrivilege	2792	WMIC.exe
Token: SeManageVolumePrivilege	2792	WMIC.exe
Token: 33	2792	WMIC.exe
Token: 34	2792	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid	Process
1276
1276
1276
1276

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid	Process
1276
1276
1276
1276

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3BB9.exe

pid	Process
900	3BB9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b8f76d9cd83557379f3fe8b5dd080f9a.exe3E49.exe

description	pid	Process	procid_target
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1924 wrote to memory of 584	1924	b8f76d9cd83557379f3fe8b5dd080f9a.exe	27
PID 1276 wrote to memory of 900	1276		30
PID 1276 wrote to memory of 900	1276		30
PID 1276 wrote to memory of 900	1276		30
PID 1276 wrote to memory of 900	1276		30
PID 1276 wrote to memory of 1500	1276		31
PID 1276 wrote to memory of 1500	1276		31
PID 1276 wrote to memory of 1500	1276		31
PID 1276 wrote to memory of 1500	1276		31
PID 1276 wrote to memory of 1652	1276		33
PID 1276 wrote to memory of 1652	1276		33
PID 1276 wrote to memory of 1652	1276		33
PID 1276 wrote to memory of 1652	1276		33
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1344	1276		35
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1060	1276		37
PID 1276 wrote to memory of 1088	1276		39
PID 1276 wrote to memory of 1088	1276		39
PID 1276 wrote to memory of 1088	1276		39
PID 1276 wrote to memory of 1088	1276		39
PID 1276 wrote to memory of 1924	1276		41
PID 1276 wrote to memory of 1924	1276		41
PID 1276 wrote to memory of 1924	1276		41
PID 1276 wrote to memory of 1924	1276		41
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1728	1500	3E49.exe	34
PID 1500 wrote to memory of 1624	1500	3E49.exe	42
PID 1500 wrote to memory of 1624	1500	3E49.exe	42
PID 1500 wrote to memory of 1624	1500	3E49.exe	42
PID 1500 wrote to memory of 1624	1500	3E49.exe	42
PID 1276 wrote to memory of 1240	1276		43
PID 1276 wrote to memory of 1240	1276		43
PID 1276 wrote to memory of 1240	1276		43
PID 1276 wrote to memory of 2044	1276		44
PID 1276 wrote to memory of 2044	1276		44
PID 1276 wrote to memory of 2044	1276		44
PID 1276 wrote to memory of 2044	1276		44
PID 1276 wrote to memory of 296	1276		45
PID 1276 wrote to memory of 296	1276		45
PID 1276 wrote to memory of 296	1276		45

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

4EB1.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4EB1.exe

C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe
"C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe
  "C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:584

C:\Users\Admin\AppData\Local\Temp\3BB9.exe
C:\Users\Admin\AppData\Local\Temp\3BB9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900

C:\Users\Admin\AppData\Local\Temp\3E49.exe
C:\Users\Admin\AppData\Local\Temp\3E49.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\3E49.exe
  C:\Users\Admin\AppData\Local\Temp\3E49.exe
  2⤵
  PID:2080

C:\Users\Admin\AppData\Local\Temp\42EC.exe
C:\Users\Admin\AppData\Local\Temp\42EC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1836

C:\Users\Admin\AppData\Local\Temp\48E5.exe
C:\Users\Admin\AppData\Local\Temp\48E5.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Local\Temp\4CAE.exe
C:\Users\Admin\AppData\Local\Temp\4CAE.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\AppData\Local\Temp\4EB1.exe
C:\Users\Admin\AppData\Local\Temp\4EB1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1088
- C:\Users\Admin\AppData\Local\Temp\bbe0d961-edb7-459d-80e9-d4a6d77ea109\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\bbe0d961-edb7-459d-80e9-d4a6d77ea109\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\bbe0d961-edb7-459d-80e9-d4a6d77ea109\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- - C:\Users\Admin\AppData\Local\Temp\bbe0d961-edb7-459d-80e9-d4a6d77ea109\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\bbe0d961-edb7-459d-80e9-d4a6d77ea109\AdvancedRun.exe" /SpecialRun 4101d8 108
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4EB1.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4EB1.exe" -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
  2⤵
  PID:1128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
  2⤵
  PID:984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1648

C:\Users\Admin\AppData\Local\Temp\5096.exe
C:\Users\Admin\AppData\Local\Temp\5096.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Users\Admin\AppData\Local\Temp\55B5.exe
C:\Users\Admin\AppData\Local\Temp\55B5.exe
1⤵
- Executes dropped EXE
PID:1240
- C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe
  "C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\1000 hq.exe
  "C:\Users\Admin\AppData\Local\Temp\1000 hq.exe"
  2⤵
  - Executes dropped EXE
  PID:2396

C:\Users\Admin\AppData\Local\Temp\573C.exe
C:\Users\Admin\AppData\Local\Temp\573C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:2584
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:2772
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1960
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\services.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2820
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:296

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1292

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:980

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1184

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2192

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery