ffdroider | 93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WW14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	random.exe.exe

Loads dropped DLL 1 IoCs

pid	Process
4792	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FJEfRXZ.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	FJEfRXZ.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
34	ipinfo.io
115	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	setup777.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
776	4792	WerFault.exe	83
1388	2060	WerFault.exe	89
2364	2060	WerFault.exe	89
1308	2060	WerFault.exe	89
4520	2060	WerFault.exe	89
3844	2060	WerFault.exe	89
3208	4628	WerFault.exe	133
1864	2060	WerFault.exe	89
384	456	WerFault.exe	150

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000231f2-254.dat	nsis_installer_1
behavioral2/files/0x00070000000231f2-254.dat	nsis_installer_2
behavioral2/files/0x00070000000231f2-262.dat	nsis_installer_1
behavioral2/files/0x00070000000231f2-262.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2212	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3772	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	68	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3680	WW14.exe
3680	WW14.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe
4372	NiceProcessX64.bmp.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4252	random.exe.exe
4252	random.exe.exe
2056	random.exe.exe
2056	random.exe.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4372	3680	WW14.exe	79
PID 3680 wrote to memory of 4372	3680	WW14.exe	79
PID 3680 wrote to memory of 4252	3680	WW14.exe	80
PID 3680 wrote to memory of 4252	3680	WW14.exe	80
PID 3680 wrote to memory of 4252	3680	WW14.exe	80
PID 4252 wrote to memory of 2056	4252	random.exe.exe	81
PID 4252 wrote to memory of 2056	4252	random.exe.exe	81
PID 4252 wrote to memory of 2056	4252	random.exe.exe	81
PID 1864 wrote to memory of 4792	1864	rundll32.exe	83
PID 1864 wrote to memory of 4792	1864	rundll32.exe	83
PID 1864 wrote to memory of 4792	1864	rundll32.exe	83
PID 3680 wrote to memory of 4772	3680	WW14.exe	87
PID 3680 wrote to memory of 4772	3680	WW14.exe	87
PID 3680 wrote to memory of 4772	3680	WW14.exe	87
PID 3680 wrote to memory of 4680	3680	WW14.exe	88
PID 3680 wrote to memory of 4680	3680	WW14.exe	88
PID 3680 wrote to memory of 4680	3680	WW14.exe	88
PID 3680 wrote to memory of 2060	3680	WW14.exe	89
PID 3680 wrote to memory of 2060	3680	WW14.exe	89
PID 3680 wrote to memory of 2060	3680	WW14.exe	89
PID 3680 wrote to memory of 3952	3680	WW14.exe	90
PID 3680 wrote to memory of 3952	3680	WW14.exe	90
PID 3680 wrote to memory of 3952	3680	WW14.exe	90
PID 4680 wrote to memory of 1176	4680	FJEfRXZ.exe.exe	93
PID 4680 wrote to memory of 1176	4680	FJEfRXZ.exe.exe	93
PID 4680 wrote to memory of 1176	4680	FJEfRXZ.exe.exe	93
PID 3680 wrote to memory of 1164	3680	WW14.exe	92
PID 3680 wrote to memory of 1164	3680	WW14.exe	92
PID 3680 wrote to memory of 1164	3680	WW14.exe	92
PID 3952 wrote to memory of 5064	3952	utube2005.bmp.exe	94
PID 3952 wrote to memory of 5064	3952	utube2005.bmp.exe	94
PID 3952 wrote to memory of 5064	3952	utube2005.bmp.exe	94
PID 4680 wrote to memory of 4112	4680	FJEfRXZ.exe.exe	97
PID 4680 wrote to memory of 4112	4680	FJEfRXZ.exe.exe	97
PID 4680 wrote to memory of 4112	4680	FJEfRXZ.exe.exe	97
PID 5064 wrote to memory of 3876	5064	Install.exe	100
PID 5064 wrote to memory of 3876	5064	Install.exe	100
PID 5064 wrote to memory of 3876	5064	Install.exe	100
PID 3680 wrote to memory of 1624	3680	WW14.exe	99
PID 3680 wrote to memory of 1624	3680	WW14.exe	99
PID 3680 wrote to memory of 1624	3680	WW14.exe	99
PID 4112 wrote to memory of 3248	4112	cmd.exe	101
PID 4112 wrote to memory of 3248	4112	cmd.exe	101
PID 4112 wrote to memory of 3248	4112	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\WW14.exe
"C:\Users\Admin\AppData\Local\Temp\WW14.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\random.exe.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Users\Admin\Pictures\Adobe Films\random.exe.exe
    "C:\Users\Admin\Pictures\Adobe Films\random.exe.exe" -h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2056
- C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\setup777.exe.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:4772
- C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\FJEfRXZ.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\ftp.exe
    ftp -?
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Esistenza.wbk
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:3248
- C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\mixinte.bmp.exe"
  2⤵
  - Executes dropped EXE
  PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 452
    3⤵
    - Program crash
    PID:1388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 764
    3⤵
    - Program crash
    PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 772
    3⤵
    - Program crash
    PID:1308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 808
    3⤵
    - Program crash
    PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 860
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 984
    3⤵
    - Program crash
    PID:1864
- C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe
  "C:\Users\Admin\Pictures\Adobe Films\utube2005.bmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\7zSAAE1.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\7zSB0FC.tmp\Install.exe
      .\Install.exe /S /site_id "525403"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Enumerates system info in registry
      PID:3876
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:3840
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:1120
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:1032
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:3672
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:4664
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:4888
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:2236
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:3188
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gaVZWTYdz" /SC once /ST 01:39:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:2212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gaVZWTYdz"
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gaVZWTYdz"
        5⤵
        
        PID:3116
- C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\search_hyperfs_310.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1164
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\kFUyV.cpl",
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\kFUyV.cpl",
      4⤵
      PID:4248
- C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe
  "C:\Users\Admin\Pictures\Adobe Films\download2.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe
    "C:\Users\Admin\AppData\Local\Temp\InvisBrowser45856.exe"
    3⤵
    PID:856
- - C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe
    "C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe"
    3⤵
    PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      4⤵
      PID:4432
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:3772
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:4756
- - C:\Users\Admin\AppData\Local\Temp\setup331.exe
    "C:\Users\Admin\AppData\Local\Temp\setup331.exe"
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\zBxdF.CpL",
      4⤵
      PID:3420
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\zBxdF.CpL",
        5⤵
        
        PID:3888
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\zBxdF.CpL",
        6⤵
        
        PID:3272
- - C:\Users\Admin\AppData\Local\Temp\xiufangwang.exe
    "C:\Users\Admin\AppData\Local\Temp\xiufangwang.exe"
    3⤵
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\xiufangwang.exe
      "C:\Users\Admin\AppData\Local\Temp\xiufangwang.exe" -h
      4⤵
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\is-4CG3C.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4CG3C.tmp\setup.tmp" /SL5="$1021C,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      4⤵
      PID:3852
    - - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
        5⤵
        
        PID:4008
      - C:\Users\Admin\AppData\Local\Temp\is-5T9IH.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5T9IH.tmp\setup.tmp" /SL5="$2025C,921114,831488,C:\Users\Admin\AppData\Local\Temp\setup.exe" /VERYSILENT
        6⤵
        
        PID:2796
- - C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
    "C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
    3⤵
    PID:4628
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4628 -s 912
      4⤵
      Program crash
      PID:3208
- - C:\Users\Admin\AppData\Local\Temp\note8876.exe
    "C:\Users\Admin\AppData\Local\Temp\note8876.exe"
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\inst002.exe
    "C:\Users\Admin\AppData\Local\Temp\inst002.exe"
    3⤵
    PID:1528
- - C:\Users\Admin\AppData\Local\Temp\pregmatch-1.exe
    "C:\Users\Admin\AppData\Local\Temp\pregmatch-1.exe"
    3⤵
    PID:1388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\Admin\AppData\Roaming\hcjpnleuogyx"
      4⤵
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
    "C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
    3⤵
    PID:3836
- - C:\Users\Admin\AppData\Local\Temp\anytime 6.exe
    "C:\Users\Admin\AppData\Local\Temp\anytime 6.exe"
    3⤵
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:3716
- - C:\Users\Admin\AppData\Local\Temp\anytime 7.exe
    "C:\Users\Admin\AppData\Local\Temp\anytime 7.exe"
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:4492
- - C:\Users\Admin\AppData\Local\Temp\logger2.exe
    "C:\Users\Admin\AppData\Local\Temp\logger2.exe"
    3⤵
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:5000

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  - Loads dropped DLL
  PID:4792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 556
    3⤵
    - Program crash
    PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4792 -ip 4792
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2060 -ip 2060
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2060 -ip 2060
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2060 -ip 2060
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2060 -ip 2060
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2060 -ip 2060
1⤵
PID:1988

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
PID:408
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 608
    3⤵
    - Program crash
    PID:384

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4628 -ip 4628
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 456 -ip 456
1⤵
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2060 -ip 2060
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2060 -ip 2060
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery