djvu | e8e4a4c7c5c593136058722cabe2d42631feffde95d923f5fd7020b0c7286f22

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

windows_update.exek6NuARSJ8iSw9NR_4XybyVGg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	windows_update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6NuARSJ8iSw9NR_4XybyVGg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6NuARSJ8iSw9NR_4XybyVGg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	k6NuARSJ8iSw9NR_4XybyVGg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	windows_update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	windows_update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	windows_update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	windows_update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6NuARSJ8iSw9NR_4XybyVGg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	windows_update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k6NuARSJ8iSw9NR_4XybyVGg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6NuARSJ8iSw9NR_4XybyVGg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	windows_update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6NuARSJ8iSw9NR_4XybyVGg.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/30888-324-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 5168 created 1044 5168 svchost.exe wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

windows_update.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ windows_update.exe

description	pid	process	target process
PID 5168 created 1044	5168	svchost.exe	wJZ_V9M_UlZnaKf7G6ls2ocx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	windows_update.exe

ModiLoader Second Stage 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3156-145-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-146-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-148-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-147-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-149-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-150-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-151-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-152-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-154-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-155-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-156-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-153-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-158-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-159-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-160-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-161-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-157-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-162-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-163-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-164-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-165-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-166-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-167-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-169-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-170-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-168-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-175-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-176-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-174-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-178-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-177-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-185-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-186-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-187-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-188-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-189-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-191-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-193-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2
behavioral2/memory/3156-190-0x0000000006FD0000-0x000000000702B000-memory.dmp	modiloader_stage2

Vidar Stealer 8 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3512-302-0x0000000000400000-0x0000000000462000-memory.dmp	family_vidar
behavioral2/memory/3512-299-0x0000000000400000-0x0000000000462000-memory.dmp	family_vidar
behavioral2/memory/3512-296-0x0000000000400000-0x0000000000462000-memory.dmp	family_vidar
behavioral2/memory/3512-313-0x0000000000400000-0x0000000000462000-memory.dmp	family_vidar
behavioral2/memory/3608-319-0x0000000000DA0000-0x0000000000DEF000-memory.dmp	family_vidar
behavioral2/memory/3608-320-0x0000000000400000-0x0000000000B58000-memory.dmp	family_vidar
behavioral2/memory/2820-340-0x0000000000C70000-0x0000000000CBF000-memory.dmp	family_vidar
behavioral2/memory/2820-342-0x0000000000400000-0x0000000000B58000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 28 IoCs

Processes:

4ghHPrGmdDsylRMeycmCOGoE.exePnGq6CISBPjFwVKrPiInASjR.exe0c91Ia4E2yy7BccnBEemB5rO.exe79ObehdUsGfvQhpJCnYZ9HRn.exexpvGqQ3bxpwgdKkubZtOBmpn.exeTGMUhN4nRDnY99BnhBcPXWeq.exezA3OPILwSFDz6tmGo5QgMpVh.exei4kFONREvkqYDDqCmAoVj4oW.exevxRPJ43RDYS_5i6O1iyU8vQx.exewJZ_V9M_UlZnaKf7G6ls2ocx.exerbzq80bXk7OcesXzfy4WDo4l.exeC2hSwsS17UL4FP2eo0EFz44P.exe1cEU8KubJK1CqZh6CvtJUD7c.exeCKQdJFbAXJ7tjp_q5y7QbcMD.exeto4tTL178PMDaBcruG6fWr06.exe6zOrqRiWNMHR7FOxcur7QkDo.exeKESOcY_E2JlQ6ftXzNTzXiBE.exeaNHsUZTgrekyf1X8OZI9SMxX.exe5m5lSdeuDBO0uMxUNVLvdo6X.exe1cEU8KubJK1CqZh6CvtJUD7c.exe0c91Ia4E2yy7BccnBEemB5rO.exe0c91Ia4E2yy7BccnBEemB5rO.exezA3OPILwSFDz6tmGo5QgMpVh.exek6NuARSJ8iSw9NR_4XybyVGg.exevxRPJ43RDYS_5i6O1iyU8vQx.exew4hWbN671CJhMeLqKUhszDQv.exewJZ_V9M_UlZnaKf7G6ls2ocx.exezA3OPILwSFDz6tmGo5QgMpVh.exe

pid	process
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
4916	PnGq6CISBPjFwVKrPiInASjR.exe
1780	0c91Ia4E2yy7BccnBEemB5rO.exe
1776	79ObehdUsGfvQhpJCnYZ9HRn.exe
3460	xpvGqQ3bxpwgdKkubZtOBmpn.exe
3608	TGMUhN4nRDnY99BnhBcPXWeq.exe
3672	zA3OPILwSFDz6tmGo5QgMpVh.exe
4592	i4kFONREvkqYDDqCmAoVj4oW.exe
3576	vxRPJ43RDYS_5i6O1iyU8vQx.exe
1044	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
4356	rbzq80bXk7OcesXzfy4WDo4l.exe
4664	C2hSwsS17UL4FP2eo0EFz44P.exe
1048	1cEU8KubJK1CqZh6CvtJUD7c.exe
4812	CKQdJFbAXJ7tjp_q5y7QbcMD.exe
3968	to4tTL178PMDaBcruG6fWr06.exe
2820	6zOrqRiWNMHR7FOxcur7QkDo.exe
3680	KESOcY_E2JlQ6ftXzNTzXiBE.exe
1372	aNHsUZTgrekyf1X8OZI9SMxX.exe
2624	5m5lSdeuDBO0uMxUNVLvdo6X.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4220	0c91Ia4E2yy7BccnBEemB5rO.exe
3512	0c91Ia4E2yy7BccnBEemB5rO.exe
30960	zA3OPILwSFDz6tmGo5QgMpVh.exe
31268	k6NuARSJ8iSw9NR_4XybyVGg.exe
3080	vxRPJ43RDYS_5i6O1iyU8vQx.exe
5220	w4hWbN671CJhMeLqKUhszDQv.exe
5272	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
2200	zA3OPILwSFDz6tmGo5QgMpVh.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5704 netsh.exe

pid	process
5704	netsh.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\wJZ_V9M_UlZnaKf7G6ls2ocx.exe	upx
C:\Users\Admin\Pictures\Adobe Films\wJZ_V9M_UlZnaKf7G6ls2ocx.exe	upx
behavioral2/memory/1044-247-0x0000000000400000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_ctypes.pyd	upx
behavioral2/memory/4084-274-0x00007FFDCFF30000-0x00007FFDD036D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\python38.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\python38.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\select.pyd	upx
behavioral2/memory/4084-300-0x00007FFDD1230000-0x00007FFDD1254000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_bz2.pyd	upx
behavioral2/memory/4084-311-0x00007FFDCFEA0000-0x00007FFDCFEE4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_bz2.pyd	upx
behavioral2/memory/4084-305-0x00007FFDDF420000-0x00007FFDDF42D000-memory.dmp	upx
behavioral2/memory/4084-314-0x00007FFDCFEF0000-0x00007FFDCFF0B000-memory.dmp	upx
behavioral2/memory/4084-304-0x00007FFDCFF10000-0x00007FFDCFF29000-memory.dmp	upx
behavioral2/memory/4084-303-0x00007FFDE92E0000-0x00007FFDE92EF000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

windows_update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	windows_update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	windows_update.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

PnGq6CISBPjFwVKrPiInASjR.exeaNHsUZTgrekyf1X8OZI9SMxX.exek6NuARSJ8iSw9NR_4XybyVGg.exezA3OPILwSFDz6tmGo5QgMpVh.exewindows_update.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	PnGq6CISBPjFwVKrPiInASjR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	aNHsUZTgrekyf1X8OZI9SMxX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	k6NuARSJ8iSw9NR_4XybyVGg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	zA3OPILwSFDz6tmGo5QgMpVh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	windows_update.exe

Loads dropped DLL 11 IoCs

Processes:

1cEU8KubJK1CqZh6CvtJUD7c.exe0c91Ia4E2yy7BccnBEemB5rO.exe

pid	process
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
4084	1cEU8KubJK1CqZh6CvtJUD7c.exe
3512	0c91Ia4E2yy7BccnBEemB5rO.exe
3512	0c91Ia4E2yy7BccnBEemB5rO.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

392 icacls.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
392	icacls.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3156-130-0x0000000000D20000-0x000000000108D000-memory.dmp	themida
behavioral2/memory/3156-131-0x0000000000D20000-0x000000000108D000-memory.dmp	themida
behavioral2/memory/3156-134-0x0000000000D20000-0x000000000108D000-memory.dmp	themida
behavioral2/memory/4712-192-0x0000000000D20000-0x000000000108D000-memory.dmp	themida
behavioral2/memory/3156-195-0x0000000000D20000-0x000000000108D000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

xpvGqQ3bxpwgdKkubZtOBmpn.exezA3OPILwSFDz6tmGo5QgMpVh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	xpvGqQ3bxpwgdKkubZtOBmpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	xpvGqQ3bxpwgdKkubZtOBmpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\46eb170d-735f-4ffc-8909-33c552faab1f\\zA3OPILwSFDz6tmGo5QgMpVh.exe\" --AutoStart"	zA3OPILwSFDz6tmGo5QgMpVh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

windows_update.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA windows_update.exe
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ipinfo.io
132 ipinfo.io
160 api.2ip.ua
162 api.2ip.ua
186 ipinfo.io
25 ipinfo.io
187 ipinfo.io
201 api.2ip.ua
131 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

windows_update.exe1cEU8KubJK1CqZh6CvtJUD7c.exe

pid process

3156 windows_update.exe
4084 1cEU8KubJK1CqZh6CvtJUD7c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	windows_update.exe

flow	ioc
26	ipinfo.io
132	ipinfo.io
160	api.2ip.ua
162	api.2ip.ua
186	ipinfo.io
25	ipinfo.io
187	ipinfo.io
201	api.2ip.ua
131	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

0c91Ia4E2yy7BccnBEemB5rO.exezA3OPILwSFDz6tmGo5QgMpVh.exeC2hSwsS17UL4FP2eo0EFz44P.exevxRPJ43RDYS_5i6O1iyU8vQx.exe

description	pid	process	target process
PID 4220 set thread context of 3512	4220	0c91Ia4E2yy7BccnBEemB5rO.exe	0c91Ia4E2yy7BccnBEemB5rO.exe
PID 3672 set thread context of 30960	3672	zA3OPILwSFDz6tmGo5QgMpVh.exe	zA3OPILwSFDz6tmGo5QgMpVh.exe
PID 4664 set thread context of 30888	4664	C2hSwsS17UL4FP2eo0EFz44P.exe	AppLaunch.exe
PID 3576 set thread context of 3080	3576	vxRPJ43RDYS_5i6O1iyU8vQx.exe	vxRPJ43RDYS_5i6O1iyU8vQx.exe

Drops file in Program Files directory 2 IoCs

Processes:

PnGq6CISBPjFwVKrPiInASjR.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	PnGq6CISBPjFwVKrPiInASjR.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	PnGq6CISBPjFwVKrPiInASjR.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe	pyinstaller
C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe	pyinstaller
C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
31404	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
2384	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
2492	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
2092	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
3508	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
1612	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
5184	1776	WerFault.exe	79ObehdUsGfvQhpJCnYZ9HRn.exe
5384	4356	WerFault.exe	rbzq80bXk7OcesXzfy4WDo4l.exe
6132	2624	WerFault.exe	5m5lSdeuDBO0uMxUNVLvdo6X.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

0c91Ia4E2yy7BccnBEemB5rO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0c91Ia4E2yy7BccnBEemB5rO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0c91Ia4E2yy7BccnBEemB5rO.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

31300 schtasks.exe
31344 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

660 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5232 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5884 taskkill.exe

pid	process
31300	schtasks.exe
31344	schtasks.exe

pid	process
660	timeout.exe

pid	process
5232	tasklist.exe

pid	process
5884	taskkill.exe

Modifies data under HKEY_USERS 34 IoCs

Processes:

wJZ_V9M_UlZnaKf7G6ls2ocx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	wJZ_V9M_UlZnaKf7G6ls2ocx.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

windows_update.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	windows_update.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	windows_update.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6068 PING.EXE

pid	process
6068	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

windows_update.exewindows_update.exe4ghHPrGmdDsylRMeycmCOGoE.exe

pid	process
3156	windows_update.exe
3156	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
4712	windows_update.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe
1408	4ghHPrGmdDsylRMeycmCOGoE.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

aNHsUZTgrekyf1X8OZI9SMxX.exevxRPJ43RDYS_5i6O1iyU8vQx.exe79ObehdUsGfvQhpJCnYZ9HRn.exeCKQdJFbAXJ7tjp_q5y7QbcMD.exei4kFONREvkqYDDqCmAoVj4oW.exepowershell.exeto4tTL178PMDaBcruG6fWr06.exepowershell.exeAppLaunch.exewJZ_V9M_UlZnaKf7G6ls2ocx.exesvchost.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1372	aNHsUZTgrekyf1X8OZI9SMxX.exe
Token: SeDebugPrivilege	3576	vxRPJ43RDYS_5i6O1iyU8vQx.exe
Token: SeDebugPrivilege	1776	79ObehdUsGfvQhpJCnYZ9HRn.exe
Token: SeDebugPrivilege	4812	CKQdJFbAXJ7tjp_q5y7QbcMD.exe
Token: SeDebugPrivilege	4592	i4kFONREvkqYDDqCmAoVj4oW.exe
Token: SeDebugPrivilege	30916	powershell.exe
Token: SeDebugPrivilege	3968	to4tTL178PMDaBcruG6fWr06.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	30888	AppLaunch.exe
Token: SeDebugPrivilege	1044	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Token: SeImpersonatePrivilege	1044	wJZ_V9M_UlZnaKf7G6ls2ocx.exe
Token: SeTcbPrivilege	5168	svchost.exe
Token: SeTcbPrivilege	5168	svchost.exe
Token: SeDebugPrivilege	5232	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windows_update.exe

description	pid	process	target process
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe
PID 3156 wrote to memory of 4712	3156	windows_update.exe	windows_update.exe

C:\Users\Admin\AppData\Local\Temp\windows_update.exe
"C:\Users\Admin\AppData\Local\Temp\windows_update.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\windows_update.exe
C:\Users\Admin\AppData\Local\Temp\windows_update.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Users\Admin\Pictures\Adobe Films\4ghHPrGmdDsylRMeycmCOGoE.exe
"C:\Users\Admin\Pictures\Adobe Films\4ghHPrGmdDsylRMeycmCOGoE.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1408

C:\Users\Admin\Pictures\Adobe Films\PnGq6CISBPjFwVKrPiInASjR.exe
"C:\Users\Admin\Pictures\Adobe Films\PnGq6CISBPjFwVKrPiInASjR.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:4916

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:31300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:31344

C:\Users\Admin\Documents\k6NuARSJ8iSw9NR_4XybyVGg.exe
"C:\Users\Admin\Documents\k6NuARSJ8iSw9NR_4XybyVGg.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:31268

C:\Users\Admin\Pictures\Adobe Films\w4hWbN671CJhMeLqKUhszDQv.exe
"C:\Users\Admin\Pictures\Adobe Films\w4hWbN671CJhMeLqKUhszDQv.exe"
5⤵
- Executes dropped EXE
PID:5220

C:\Users\Admin\Pictures\Adobe Films\sl_uXcLTA2IM1iN01yLRJyKB.exe
"C:\Users\Admin\Pictures\Adobe Films\sl_uXcLTA2IM1iN01yLRJyKB.exe"
5⤵
PID:6108

C:\Users\Admin\Pictures\Adobe Films\H9z3VaJ7Wa5JJ2aDN11VPwrh.exe
"C:\Users\Admin\Pictures\Adobe Films\H9z3VaJ7Wa5JJ2aDN11VPwrh.exe"
5⤵
PID:368

C:\Users\Admin\Pictures\Adobe Films\0Ipiz8eAwDY28tnGZCVv3jKm.exe
"C:\Users\Admin\Pictures\Adobe Films\0Ipiz8eAwDY28tnGZCVv3jKm.exe"
5⤵
PID:6148

C:\Users\Admin\Pictures\Adobe Films\xeDSrzAqHcg8HyO9nKt0NENb.exe
"C:\Users\Admin\Pictures\Adobe Films\xeDSrzAqHcg8HyO9nKt0NENb.exe"
5⤵
PID:6168

C:\Users\Admin\Pictures\Adobe Films\d8Ddgfk56gffTmkSF9HmIJeb.exe
"C:\Users\Admin\Pictures\Adobe Films\d8Ddgfk56gffTmkSF9HmIJeb.exe"
5⤵
PID:6204

C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe
"C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe"
3⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe
"C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4220

C:\Users\Admin\Pictures\Adobe Films\79ObehdUsGfvQhpJCnYZ9HRn.exe
"C:\Users\Admin\Pictures\Adobe Films\79ObehdUsGfvQhpJCnYZ9HRn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1292
4⤵
- Program crash
PID:5184

C:\Users\Admin\Pictures\Adobe Films\xpvGqQ3bxpwgdKkubZtOBmpn.exe
"C:\Users\Admin\Pictures\Adobe Films\xpvGqQ3bxpwgdKkubZtOBmpn.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3460

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Questo.ppt & ping -n 5 localhost
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:31200

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5232

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:5396

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^EMjNKsUmZgpLIzWkfbdJjdfgUCiantYcrvsDCTscDINycNZcJFvRHNEgvYTipBwUfOIkwaJvyUyDClSuCMJSIiNdSeuDqljwHTQHtOzdWqLNHqLjyMEvRpjowazYkyvVHrWJxlwOz$" Sorrideva.ppt
6⤵
PID:5612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nostra.exe.pif
Nostra.exe.pif f
6⤵
PID:5944

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
6⤵
- Runs ping.exe
PID:6068

C:\Windows\SysWOW64\dllhost.exe
dllhost kjdlskreshduehfiuwefuihuzhdsfbvnzmnnxcvjkhawiuoyrf8wer847345
4⤵
PID:4396

C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe
"C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3672

C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe
"C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:30960

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\46eb170d-735f-4ffc-8909-33c552faab1f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
5⤵
- Modifies file permissions
PID:392

C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe
"C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe" --Admin IsNotAutoStart IsNotTask
5⤵
- Executes dropped EXE
PID:2200

C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe
"C:\Users\Admin\Pictures\Adobe Films\zA3OPILwSFDz6tmGo5QgMpVh.exe" --Admin IsNotAutoStart IsNotTask
6⤵
PID:5508

C:\Users\Admin\Pictures\Adobe Films\TGMUhN4nRDnY99BnhBcPXWeq.exe
"C:\Users\Admin\Pictures\Adobe Films\TGMUhN4nRDnY99BnhBcPXWeq.exe"
3⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\Pictures\Adobe Films\wJZ_V9M_UlZnaKf7G6ls2ocx.exe
"C:\Users\Admin\Pictures\Adobe Films\wJZ_V9M_UlZnaKf7G6ls2ocx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\Pictures\Adobe Films\wJZ_V9M_UlZnaKf7G6ls2ocx.exe
"C:\Users\Admin\Pictures\Adobe Films\wJZ_V9M_UlZnaKf7G6ls2ocx.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:5548

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:5704

C:\Users\Admin\Pictures\Adobe Films\vxRPJ43RDYS_5i6O1iyU8vQx.exe
"C:\Users\Admin\Pictures\Adobe Films\vxRPJ43RDYS_5i6O1iyU8vQx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Users\Admin\Pictures\Adobe Films\vxRPJ43RDYS_5i6O1iyU8vQx.exe
"C:\Users\Admin\Pictures\Adobe Films\vxRPJ43RDYS_5i6O1iyU8vQx.exe"
4⤵
- Executes dropped EXE
PID:3080

C:\Users\Admin\Pictures\Adobe Films\i4kFONREvkqYDDqCmAoVj4oW.exe
"C:\Users\Admin\Pictures\Adobe Films\i4kFONREvkqYDDqCmAoVj4oW.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\Pictures\Adobe Films\to4tTL178PMDaBcruG6fWr06.exe
"C:\Users\Admin\Pictures\Adobe Films\to4tTL178PMDaBcruG6fWr06.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe
"C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe"
3⤵
- Executes dropped EXE
PID:1048

C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe
"C:\Users\Admin\Pictures\Adobe Films\1cEU8KubJK1CqZh6CvtJUD7c.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command "Add-MpPreference -ExclusionPath '"%USERPROFILE%\AppData\Roaming'""
5⤵
PID:10884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming'"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:30916

C:\Users\Admin\Pictures\Adobe Films\C2hSwsS17UL4FP2eo0EFz44P.exe
"C:\Users\Admin\Pictures\Adobe Films\C2hSwsS17UL4FP2eo0EFz44P.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:30888

C:\Users\Admin\Pictures\Adobe Films\CKQdJFbAXJ7tjp_q5y7QbcMD.exe
"C:\Users\Admin\Pictures\Adobe Films\CKQdJFbAXJ7tjp_q5y7QbcMD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\Pictures\Adobe Films\rbzq80bXk7OcesXzfy4WDo4l.exe
"C:\Users\Admin\Pictures\Adobe Films\rbzq80bXk7OcesXzfy4WDo4l.exe"
3⤵
- Executes dropped EXE
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 452
4⤵
- Program crash
PID:31404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 772
4⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 780
4⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 804
4⤵
- Program crash
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 764
4⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 984
4⤵
- Program crash
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1012
4⤵
- Program crash
PID:5384

C:\Users\Admin\Pictures\Adobe Films\5m5lSdeuDBO0uMxUNVLvdo6X.exe
"C:\Users\Admin\Pictures\Adobe Films\5m5lSdeuDBO0uMxUNVLvdo6X.exe"
3⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 764
4⤵
- Program crash
PID:6132

C:\Users\Admin\Pictures\Adobe Films\aNHsUZTgrekyf1X8OZI9SMxX.exe
"C:\Users\Admin\Pictures\Adobe Films\aNHsUZTgrekyf1X8OZI9SMxX.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Users\Admin\Pictures\Adobe Films\KESOcY_E2JlQ6ftXzNTzXiBE.exe
"C:\Users\Admin\Pictures\Adobe Films\KESOcY_E2JlQ6ftXzNTzXiBE.exe"
3⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\Pictures\Adobe Films\6zOrqRiWNMHR7FOxcur7QkDo.exe
"C:\Users\Admin\Pictures\Adobe Films\6zOrqRiWNMHR7FOxcur7QkDo.exe"
3⤵
- Executes dropped EXE
PID:2820

C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe
"C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:3512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 0c91Ia4E2yy7BccnBEemB5rO.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\0c91Ia4E2yy7BccnBEemB5rO.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:5664

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 0c91Ia4E2yy7BccnBEemB5rO.exe /f
3⤵
- Kills process with taskkill
PID:5884

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4356 -ip 4356
1⤵
PID:31208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4356 -ip 4356
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4356 -ip 4356
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4356 -ip 4356
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4356 -ip 4356
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4356 -ip 4356
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1776 -ip 1776
1⤵
PID:5128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4356 -ip 4356
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2624 -ip 2624
1⤵
PID:6052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery