glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	R5OSQl6f_wNGMpyVqz2H28xb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	R5OSQl6f_wNGMpyVqz2H28xb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84833096726.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84833096726.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (19).exe

Loads dropped DLL 34 IoCs

pid	Process
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
1100	Setup (19).exe
2628	cmd.exe
2548	cmd.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral21/files/0x000300000001317a-90.dat	themida
behavioral21/files/0x000300000001317d-79.dat	themida
behavioral21/files/0x000300000001317a-77.dat	themida
behavioral21/files/0x0003000000013190-112.dat	themida
behavioral21/files/0x0003000000013190-137.dat	themida
behavioral21/files/0x000300000001317d-165.dat	themida
behavioral21/memory/1360-172-0x00000000002E0000-0x00000000002E1000-memory.dmp	themida
behavioral21/files/0x00040000000131a7-180.dat	themida
behavioral21/files/0x00040000000131a7-178.dat	themida
behavioral21/files/0x00040000000131a7-177.dat	themida
behavioral21/memory/2692-188-0x0000000000A10000-0x0000000000A11000-memory.dmp	themida
behavioral21/memory/2836-205-0x00000000001E0000-0x00000000001E1000-memory.dmp	themida
behavioral21/memory/928-206-0x0000000001270000-0x0000000001271000-memory.dmp	themida
behavioral21/memory/1456-218-0x0000000000C10000-0x0000000000C11000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	R5OSQl6f_wNGMpyVqz2H28xb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84833096726.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
86	ip-api.com
227	ipinfo.io
228	ipinfo.io
21	ipinfo.io
22	ipinfo.io
29	api.db-ip.com
30	api.db-ip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1360	R5OSQl6f_wNGMpyVqz2H28xb.exe
2692	84833096726.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 292 set thread context of 2760	292	NtDVm0vvycoM8hdFANFNfii2.exe	69

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	436	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NtDVm0vvycoM8hdFANFNfii2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NtDVm0vvycoM8hdFANFNfii2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NtDVm0vvycoM8hdFANFNfii2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2948	schtasks.exe
2484	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1152	taskkill.exe
832	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (19).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (19).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (19).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (19).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (19).exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1100	Setup (19).exe
2760	NtDVm0vvycoM8hdFANFNfii2.exe
2760	NtDVm0vvycoM8hdFANFNfii2.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2760	NtDVm0vvycoM8hdFANFNfii2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1068	1100	Setup (19).exe	32
PID 1100 wrote to memory of 1068	1100	Setup (19).exe	32
PID 1100 wrote to memory of 1068	1100	Setup (19).exe	32
PID 1100 wrote to memory of 1068	1100	Setup (19).exe	32
PID 1100 wrote to memory of 292	1100	Setup (19).exe	31
PID 1100 wrote to memory of 292	1100	Setup (19).exe	31
PID 1100 wrote to memory of 292	1100	Setup (19).exe	31
PID 1100 wrote to memory of 292	1100	Setup (19).exe	31
PID 1100 wrote to memory of 872	1100	Setup (19).exe	41
PID 1100 wrote to memory of 872	1100	Setup (19).exe	41
PID 1100 wrote to memory of 872	1100	Setup (19).exe	41
PID 1100 wrote to memory of 872	1100	Setup (19).exe	41
PID 1100 wrote to memory of 536	1100	Setup (19).exe	40
PID 1100 wrote to memory of 536	1100	Setup (19).exe	40
PID 1100 wrote to memory of 536	1100	Setup (19).exe	40
PID 1100 wrote to memory of 536	1100	Setup (19).exe	40
PID 1100 wrote to memory of 1620	1100	Setup (19).exe	39
PID 1100 wrote to memory of 1620	1100	Setup (19).exe	39
PID 1100 wrote to memory of 1620	1100	Setup (19).exe	39
PID 1100 wrote to memory of 1620	1100	Setup (19).exe	39
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1696	1100	Setup (19).exe	38
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 1360	1100	Setup (19).exe	37
PID 1100 wrote to memory of 2032	1100	Setup (19).exe	36
PID 1100 wrote to memory of 2032	1100	Setup (19).exe	36
PID 1100 wrote to memory of 2032	1100	Setup (19).exe	36
PID 1100 wrote to memory of 2032	1100	Setup (19).exe	36
PID 1100 wrote to memory of 936	1100	Setup (19).exe	35
PID 1100 wrote to memory of 936	1100	Setup (19).exe	35
PID 1100 wrote to memory of 936	1100	Setup (19).exe	35
PID 1100 wrote to memory of 936	1100	Setup (19).exe	35
PID 1100 wrote to memory of 1500	1100	Setup (19).exe	34
PID 1100 wrote to memory of 1500	1100	Setup (19).exe	34
PID 1100 wrote to memory of 1500	1100	Setup (19).exe	34
PID 1100 wrote to memory of 1500	1100	Setup (19).exe	34
PID 1100 wrote to memory of 1816	1100	Setup (19).exe	33
PID 1100 wrote to memory of 1816	1100	Setup (19).exe	33
PID 1100 wrote to memory of 1816	1100	Setup (19).exe	33
PID 1100 wrote to memory of 1816	1100	Setup (19).exe	33
PID 1100 wrote to memory of 760	1100	Setup (19).exe	45
PID 1100 wrote to memory of 760	1100	Setup (19).exe	45
PID 1100 wrote to memory of 760	1100	Setup (19).exe	45
PID 1100 wrote to memory of 760	1100	Setup (19).exe	45
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 1592	1100	Setup (19).exe	44
PID 1100 wrote to memory of 928	1100	Setup (19).exe	46
PID 1100 wrote to memory of 928	1100	Setup (19).exe	46
PID 1100 wrote to memory of 928	1100	Setup (19).exe	46

C:\Users\Admin\AppData\Local\Temp\Setup (19).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\Documents\NtDVm0vvycoM8hdFANFNfii2.exe
  "C:\Users\Admin\Documents\NtDVm0vvycoM8hdFANFNfii2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:292
- - C:\Users\Admin\Documents\NtDVm0vvycoM8hdFANFNfii2.exe
    "C:\Users\Admin\Documents\NtDVm0vvycoM8hdFANFNfii2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2760
- C:\Users\Admin\Documents\bJNlkAJU_k4zpmsnf77pmZxU.exe
  "C:\Users\Admin\Documents\bJNlkAJU_k4zpmsnf77pmZxU.exe"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Users\Admin\Documents\_nT2fNOwOOwOnDLr0HDKbVi1.exe
  "C:\Users\Admin\Documents\_nT2fNOwOOwOnDLr0HDKbVi1.exe"
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Users\Admin\Documents\66Y3N9H4CNVdXatbLqXjCjhj.exe
  "C:\Users\Admin\Documents\66Y3N9H4CNVdXatbLqXjCjhj.exe"
  2⤵
  PID:1500
- C:\Users\Admin\Documents\EWrfe5D56RgnHsHBPvcBBfWx.exe
  "C:\Users\Admin\Documents\EWrfe5D56RgnHsHBPvcBBfWx.exe"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Users\Admin\Documents\5dUvVEj8vJGGitkACxGo9J9f.exe
  "C:\Users\Admin\Documents\5dUvVEj8vJGGitkACxGo9J9f.exe"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Users\Admin\Documents\R5OSQl6f_wNGMpyVqz2H28xb.exe
  "C:\Users\Admin\Documents\R5OSQl6f_wNGMpyVqz2H28xb.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1360
- C:\Users\Admin\Documents\JOb_QVoVE63no9XTvnxsN_BG.exe
  "C:\Users\Admin\Documents\JOb_QVoVE63no9XTvnxsN_BG.exe"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Users\Admin\Documents\qIeDMuNO6ekCUd53mJsQg3JI.exe
  "C:\Users\Admin\Documents\qIeDMuNO6ekCUd53mJsQg3JI.exe"
  2⤵
  - Executes dropped EXE
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YkLF-GW4F3-vAB6-udayj}\84833096726.exe"
    3⤵
    - Loads dropped DLL
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\{YkLF-GW4F3-vAB6-udayj}\84833096726.exe
      "C:\Users\Admin\AppData\Local\Temp\{YkLF-GW4F3-vAB6-udayj}\84833096726.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YkLF-GW4F3-vAB6-udayj}\13269804798.exe" /mix
    3⤵
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\{YkLF-GW4F3-vAB6-udayj}\13269804798.exe
      "C:\Users\Admin\AppData\Local\Temp\{YkLF-GW4F3-vAB6-udayj}\13269804798.exe" /mix
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "qIeDMuNO6ekCUd53mJsQg3JI.exe" /f & erase "C:\Users\Admin\Documents\qIeDMuNO6ekCUd53mJsQg3JI.exe" & exit
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "qIeDMuNO6ekCUd53mJsQg3JI.exe" /f
      4⤵
      Kills process with taskkill
      PID:832
- C:\Users\Admin\Documents\J_HoTrPhl_lTpNd4JDCGBa5f.exe
  "C:\Users\Admin\Documents\J_HoTrPhl_lTpNd4JDCGBa5f.exe"
  2⤵
  - Executes dropped EXE
  PID:536
- - C:\Users\Admin\Documents\J_HoTrPhl_lTpNd4JDCGBa5f.exe
    C:\Users\Admin\Documents\J_HoTrPhl_lTpNd4JDCGBa5f.exe
    3⤵
    PID:112
- - C:\Users\Admin\Documents\J_HoTrPhl_lTpNd4JDCGBa5f.exe
    C:\Users\Admin\Documents\J_HoTrPhl_lTpNd4JDCGBa5f.exe
    3⤵
    PID:3024
- C:\Users\Admin\Documents\OWVhqp5Dp27YT9hSHgFrLXLq.exe
  "C:\Users\Admin\Documents\OWVhqp5Dp27YT9hSHgFrLXLq.exe"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Users\Admin\Documents\DECd6q6bcZh8TgjGMbotbBAk.exe
  "C:\Users\Admin\Documents\DECd6q6bcZh8TgjGMbotbBAk.exe"
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Users\Admin\Documents\yjc6JpLFqac7Hs3uoa3Jz5Ql.exe
  "C:\Users\Admin\Documents\yjc6JpLFqac7Hs3uoa3Jz5Ql.exe"
  2⤵
  - Executes dropped EXE
  PID:760
- - C:\Users\Admin\AppData\Roaming\6869919.exe
    "C:\Users\Admin\AppData\Roaming\6869919.exe"
    3⤵
    PID:1524
- - C:\Users\Admin\AppData\Roaming\1826496.exe
    "C:\Users\Admin\AppData\Roaming\1826496.exe"
    3⤵
    PID:2368
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:2500
- - C:\Users\Admin\AppData\Roaming\1743306.exe
    "C:\Users\Admin\AppData\Roaming\1743306.exe"
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Roaming\8713091.exe
    "C:\Users\Admin\AppData\Roaming\8713091.exe"
    3⤵
    PID:2700
- - C:\Users\Admin\AppData\Roaming\3748915.exe
    "C:\Users\Admin\AppData\Roaming\3748915.exe"
    3⤵
    PID:524
- C:\Users\Admin\Documents\uj6JQQLvAuh6aWDFc2gvlle5.exe
  "C:\Users\Admin\Documents\uj6JQQLvAuh6aWDFc2gvlle5.exe"
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Users\Admin\Documents\cuQnEFtftUbSnjeeJnMd1fX2.exe
  "C:\Users\Admin\Documents\cuQnEFtftUbSnjeeJnMd1fX2.exe"
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Users\Admin\Documents\pnxvPt5C6wHnfzxaPHBBzPUP.exe
  "C:\Users\Admin\Documents\pnxvPt5C6wHnfzxaPHBBzPUP.exe"
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Admin\Documents\1IL_7iIQUKPU8pu39MBEp5em.exe
  "C:\Users\Admin\Documents\1IL_7iIQUKPU8pu39MBEp5em.exe"
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Users\Admin\Documents\XvUhoMYufVqOeBiXcvBuXt79.exe
  "C:\Users\Admin\Documents\XvUhoMYufVqOeBiXcvBuXt79.exe"
  2⤵
  - Executes dropped EXE
  PID:612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Ta6c-T8k2P-5RAs-4AGPt}\33219780195.exe"
    3⤵
    - Loads dropped DLL
    PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\{Ta6c-T8k2P-5RAs-4AGPt}\33219780195.exe
      "C:\Users\Admin\AppData\Local\Temp\{Ta6c-T8k2P-5RAs-4AGPt}\33219780195.exe"
      4⤵
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Ta6c-T8k2P-5RAs-4AGPt}\03725975030.exe" /mix
    3⤵
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\{Ta6c-T8k2P-5RAs-4AGPt}\03725975030.exe
      "C:\Users\Admin\AppData\Local\Temp\{Ta6c-T8k2P-5RAs-4AGPt}\03725975030.exe" /mix
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "XvUhoMYufVqOeBiXcvBuXt79.exe" /f & erase "C:\Users\Admin\Documents\XvUhoMYufVqOeBiXcvBuXt79.exe" & exit
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "XvUhoMYufVqOeBiXcvBuXt79.exe" /f
      4⤵
      Kills process with taskkill
      PID:1152
- C:\Users\Admin\Documents\k27RoI1t817T1j1Phl7lvOqm.exe
  "C:\Users\Admin\Documents\k27RoI1t817T1j1Phl7lvOqm.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- - C:\Users\Admin\Documents\k27RoI1t817T1j1Phl7lvOqm.exe
    C:\Users\Admin\Documents\k27RoI1t817T1j1Phl7lvOqm.exe
    3⤵
    PID:2000
- C:\Users\Admin\Documents\spwyxPTgkkvPk5HuZvglrHUZ.exe
  "C:\Users\Admin\Documents\spwyxPTgkkvPk5HuZvglrHUZ.exe"
  2⤵
  - Executes dropped EXE
  PID:1704
- - C:\Users\Admin\Documents\spwyxPTgkkvPk5HuZvglrHUZ.exe
    "C:\Users\Admin\Documents\spwyxPTgkkvPk5HuZvglrHUZ.exe"
    3⤵
    PID:2660
- C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
  "C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe"
  2⤵
  - Executes dropped EXE
  PID:972
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2316
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2908
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2244
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2648
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:3056
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2028
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2452
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:3028
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2220
- - C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    C:\Users\Admin\Documents\uZzrzIYoppHegyl7VQ9nUMFJ.exe
    3⤵
    PID:2408
- C:\Users\Admin\Documents\_qgM74ZSPwDjlJq2ndjiHGaU.exe
  "C:\Users\Admin\Documents\_qgM74ZSPwDjlJq2ndjiHGaU.exe"
  2⤵
  - Executes dropped EXE
  PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 856
    3⤵
    - Program crash
    PID:2636
- C:\Users\Admin\Documents\gfIiU36VO8lqc2FRSqyMIuY5.exe
  "C:\Users\Admin\Documents\gfIiU36VO8lqc2FRSqyMIuY5.exe"
  2⤵
  - Executes dropped EXE
  PID:604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2948

C:\Users\Admin\AppData\Local\Temp\4F58.exe
C:\Users\Admin\AppData\Local\Temp\4F58.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\89AB.exe
C:\Users\Admin\AppData\Local\Temp\89AB.exe
1⤵
PID:1456
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  PID:2736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2156

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:524

C:\Windows\system32\taskeng.exe
taskeng.exe {F3279289-B493-48E5-8BF5-BC7BD2E20566} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:732
- C:\Users\Admin\AppData\Roaming\hsurfgt
  C:\Users\Admin\AppData\Roaming\hsurfgt
  2⤵
  PID:2220
- - C:\Users\Admin\AppData\Roaming\hsurfgt
    C:\Users\Admin\AppData\Roaming\hsurfgt
    3⤵
    PID:884
- C:\Users\Admin\AppData\Roaming\hsurfgt
  C:\Users\Admin\AppData\Roaming\hsurfgt
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Roaming\hsurfgt
    C:\Users\Admin\AppData\Roaming\hsurfgt
    3⤵
    PID:2936

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1828

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2744

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2928

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery