asyncrat | 39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148

Processes:

3.exe3.exeOpus.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Opus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Opus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Opus.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1604-180-0x0000000000160000-0x0000000000172000-memory.dmp	asyncrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/432-240-0x00000000010B0000-0x0000000001144000-memory.dmp	dcrat
behavioral1/memory/3016-338-0x0000000000090000-0x0000000000124000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

a.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a.exe

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2592-327-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/2592-331-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1916-341-0x0000000000442628-mapping.dmp	WebBrowserPassView
behavioral1/memory/1916-345-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral1/memory/1916-348-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2592-327-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/2592-331-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/1916-341-0x0000000000442628-mapping.dmp	Nirsoft
behavioral1/memory/1916-345-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral1/memory/1916-348-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

3 2012 msiexec.exe
5 2012 msiexec.exe
7 2012 msiexec.exe
12 584 msiexec.exe
14 584 msiexec.exe

flow	pid	process
3	2012	msiexec.exe
5	2012	msiexec.exe
7	2012	msiexec.exe
12	584	msiexec.exe
14	584	msiexec.exe

Drops file in Drivers directory 7 IoCs

Processes:

DrvInst.exeDrvInst.exeTXPlatforn.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET3F23.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET3F23.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\wintun.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET4F69.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET4F69.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Executes dropped EXE 35 IoCs

Processes:

openvpnserv.exeopenvpn-gui.exeopenvpn.exeopenvpn-gui.exeb6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exeRIP_YOUR_PC_LOL.exehealastounding.exePluto Panel.exe0fd7de5367376231a788872005d7ed4f.exe22.exetest.exegay.exeOpus.exeaaa.exe8f1c8b40c7be588389a8d382040b23bb.exe4.exe___11.19.exea.exesvchost.exeFFDvbcrdfqs.exe3.exeDcvxaamev.exeDcvxaamev.exeFFDvbcrdfqs.exe8f1c8b40c7be588389a8d382040b23bb.exe0fd7de5367376231a788872005d7ed4f.exeTXPlatforn.exeTXPlatforn.exesvchos.exemediaget.exeHD____11.19.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exeaaa.exe3.exeOpus.exe

pid	process
1900	openvpnserv.exe
1948	openvpn-gui.exe
268	openvpn.exe
1008	openvpn-gui.exe
1760	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
1320	RIP_YOUR_PC_LOL.exe
1520	healastounding.exe
556	Pluto Panel.exe
1184	0fd7de5367376231a788872005d7ed4f.exe
960	22.exe
1604	test.exe
1612	gay.exe
1568	Opus.exe
1632	aaa.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe
552	4.exe
2020	___11.19.exe
1236	a.exe
1940	svchost.exe
2016	FFDvbcrdfqs.exe
432	3.exe
1052	Dcvxaamev.exe
1716	Dcvxaamev.exe
520	FFDvbcrdfqs.exe
1892	8f1c8b40c7be588389a8d382040b23bb.exe
1712	0fd7de5367376231a788872005d7ed4f.exe
1576	TXPlatforn.exe
1748	TXPlatforn.exe
828	svchos.exe
936	mediaget.exe
2140	HD____11.19.exe
2300	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
1796	aaa.exe
2112	3.exe
3016	Opus.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

MsiExec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\StubPath = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OPENVPN-GUI /t REG_SZ /d \"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\""	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\ = "OpenVPN 2.5.7-I602 amd64"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\Version = "1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\IsInstalled = "1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\DontAsk = "2"	MsiExec.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2500 netsh.exe

pid	process
2500	netsh.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

svchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\8134594.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1940-191-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1940-193-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1940-194-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1576-221-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1940-228-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1748-239-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1748-242-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1748-245-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1796-321-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1748-324-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1796-334-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a.exe

Drops startup file 2 IoCs

Processes:

mediaget.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe	mediaget.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe	mediaget.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exemsiexec.exeopenvpnserv.exeopenvpn-gui.exeopenvpn.exeopenvpn-gui.exeRIP_YOUR_PC_LOL.exehealastounding.exe___11.19.exe4.exe8f1c8b40c7be588389a8d382040b23bb.exe22.exeFFDvbcrdfqs.exeDcvxaamev.exeTXPlatforn.exe

pid	process
1684	MsiExec.exe
1684	MsiExec.exe
1652	MsiExec.exe
1652	MsiExec.exe
1652	MsiExec.exe
1368	MsiExec.exe
1368	MsiExec.exe
1368	MsiExec.exe
584	msiexec.exe
584	msiexec.exe
584	msiexec.exe
584	msiexec.exe
1368	MsiExec.exe
1360
464
1900	openvpnserv.exe
1368	MsiExec.exe
1368	MsiExec.exe
1652	MsiExec.exe
1360
1684	MsiExec.exe
1948	openvpn-gui.exe
1948	openvpn-gui.exe
1948	openvpn-gui.exe
1112
268	openvpn.exe
268	openvpn.exe
268	openvpn.exe
268	openvpn.exe
1360
1360
1008	openvpn-gui.exe
1008	openvpn-gui.exe
1320	RIP_YOUR_PC_LOL.exe
1320	RIP_YOUR_PC_LOL.exe
1320	RIP_YOUR_PC_LOL.exe
1320	RIP_YOUR_PC_LOL.exe
1320	RIP_YOUR_PC_LOL.exe
1520	healastounding.exe
1520	healastounding.exe
1520	healastounding.exe
1520	healastounding.exe
1520	healastounding.exe
1520	healastounding.exe
1520	healastounding.exe
1520	healastounding.exe
1320	RIP_YOUR_PC_LOL.exe
1520	healastounding.exe
2020	___11.19.exe
552	4.exe
552	4.exe
552	4.exe
552	4.exe
552	4.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe
960	22.exe
960	22.exe
960	22.exe
2016	FFDvbcrdfqs.exe
1052	Dcvxaamev.exe
1576	TXPlatforn.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs

collection

Email Collection

T1114

Processes:

vbc.exeaaa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	aaa.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

aaa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aaa.exe

Adds Run key to start application 2 TTPs 19 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

3.exemsiexec.exe3.exeOpus.exemediaget.exePluto Panel.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0fd7de5367376231a788872005d7ed4f = "\"C:\\Users\\Admin\\AppData\\Roaming\\pid\\0fd7de5367376231a788872005d7ed4f.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\jnwmon\\csrss.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3 = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\3.exe\""	3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\wshirda\\dllhost.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opus = "\"C:\\Users\\Admin\\AppData\\Roaming\\test\\Opus.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe"	Opus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .."	mediaget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a = "\"C:\\Users\\Admin\\AppData\\Roaming\\DisableDismount\\a.exe\""	3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Pluto Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466 = "\"C:\\Users\\Admin\\AppData\\Roaming\\mediaget.exe\" .."	mediaget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aaa = "\"C:\\Users\\Admin\\AppData\\Roaming\\Opus\\aaa.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\AppCompat\\Programs\\spoolsv.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn-gui = "\"C:\\Recovery\\31001cc2-2a3d-11ed-9244-9c23e66b04e4\\openvpn-gui.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpnserv = "\"C:\\Program Files\\OpenVPN\\bin\\libpkcs11-helper-1\\openvpnserv.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\openvpn-gui = "\"C:\\Program Files\\OpenVPN\\bin\\openvpnserv\\openvpn-gui.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ö÷¶¯·ÀÓù·þÎñÄ£¿é = "\"C:\\Windows\\SysWOW64\\extrac32\\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe\""	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\System32\\KBDSP\\sppsvc.exe\""	3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

Processes:

Opus.exeOpus.exea.exe3.exe3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Opus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Opus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Opus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.ipify.org
48 whatismyipaddress.com
50 whatismyipaddress.com
51 whatismyipaddress.com

flow	ioc
36	api.ipify.org
48	whatismyipaddress.com
50	whatismyipaddress.com
51	whatismyipaddress.com

Drops file in System32 directory 64 IoCs

Processes:

DrvInst.exesvchost.exe3.exeMsiExec.exe3.exeDrvInst.exesvchost.exesvchos.exeDrvInst.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\System32\wshirda\dllhost.exe	3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\nete1e3e.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\netvg62a.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\netrtx64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathrx.inf_amd64_neutral_905772087ff288af\netathrx.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\net8185.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_neutral_def3401515466414\wintun.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\netr28x.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl160a.inf_amd64_neutral_f8bdd2cbac28a8fd\netl160a.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\netxex64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_neutral_4ca64d28e1be8fa9\rndiscmp.PNF	MsiExec.exe
File created	C:\Windows\System32\jnwmon\886983d96e3d3e31032c679b2d4ea91b6c05afef	3.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\System32\wshirda\dllhost.exe	3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_neutral_085226e1dfe76c55\netl260a.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_neutral_99bb33c9a5bedaea\netnvma.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\netxfx64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\netk57a.PNF	MsiExec.exe
File created	C:\Windows\System32\jnwmon\csrss.exe	3.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File created	C:\Windows\System32\KBDSP\sppsvc.exe	3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbc664.inf_amd64_neutral_673d3dfb961e9b17\netbc664.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\netnvm64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_neutral_c81780c5dcabd0a0\netbxnda.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\avmx64c.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8854.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8855.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2\nete1g3e.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8853.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\wnetvsc.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_neutral_def3401515466414\wintun.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8854.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\OemVista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\OemVista.inf	DrvInst.exe
File created	C:\Windows\System32\KBDSP\0a1fd5f707cd16ea89afd3d6db52b2da58214a6c	3.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\tdibth.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_neutral_9b64397618841a19\netimm.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_neutral_68988e550e69a417\netr7364.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\SET2205.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netb57va.inf_amd64_neutral_6264e97d4fc12211\netb57va.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\netr28ux.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_neutral_c239ab5d36a3b3e9\net8187se64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_neutral_b4e8ccc6ba210e97\netg664.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\netvfx64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\SET8855.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

0fd7de5367376231a788872005d7ed4f.exeDcvxaamev.exe8f1c8b40c7be588389a8d382040b23bb.exeaaa.exePluto Panel.exe

description	pid	process	target process
PID 1184 set thread context of 1712	1184	0fd7de5367376231a788872005d7ed4f.exe	0fd7de5367376231a788872005d7ed4f.exe
PID 1052 set thread context of 1716	1052	Dcvxaamev.exe	Dcvxaamev.exe
PID 1464 set thread context of 1892	1464	8f1c8b40c7be588389a8d382040b23bb.exe	8f1c8b40c7be588389a8d382040b23bb.exe
PID 1632 set thread context of 1796	1632	aaa.exe	aaa.exe
PID 556 set thread context of 2592	556	Pluto Panel.exe	vbc.exe
PID 556 set thread context of 1916	556	Pluto Panel.exe	vbc.exe

Drops file in Program Files directory 30 IoCs

Processes:

msiexec.exe___11.19.exe3.exeOpus.exe3.exe

description	ioc	process
File created	C:\Program Files\OpenVPN\bin\openvpnserv.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	___11.19.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	___11.19.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv\openvpn-gui.exe	3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\3.exe	3.exe
File created	C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\sample-config\server.ovpn	msiexec.exe
File opened for modification	C:\Program Files (x86)\AGP Manager\agpmgr.exe	Opus.exe
File created	C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\74826328f97624628d94647a42849e43e9fa8dd7	3.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\eb163972666d451bbc4e8765b57a2701f8e51ea7	3.exe
File created	C:\Program Files\OpenVPN\include\tap-windows.h	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\tapctl.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv\3f62022937ae2cf6c95cdcf7833ad00a7ff59189	3.exe
File created	C:\Program Files\OpenVPN\bin\openvpn.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\config\README.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\doc\INSTALL-win32.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\libcrypto-1_1-x64.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\license.txt	msiexec.exe
File created	C:\Program Files (x86)\OpenVPN\bin\openvpn-gui.exe	___11.19.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	___11.19.exe
File created	C:\Program Files\OpenVPN\log\README.txt	msiexec.exe
File created	C:\Program Files (x86)\AGP Manager\agpmgr.exe	Opus.exe
File created	C:\Program Files\OpenVPN\doc\openvpn.8.html	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\libssl-1_1-x64.dll	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	___11.19.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-gui.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\sample-config\client.ovpn	msiexec.exe
File created	C:\Program Files\OpenVPN\res\ovpn.ico	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\openvpnserv.exe	3.exe

Drops file in Windows directory 47 IoCs

Processes:

msiexec.exe22.exeDrvInst.exeDrvInst.exeMsiExec.exeDrvInst.exeDrvInst.exeDrvInst.exe3.exe

description	ioc	process
File created	C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\openvpn.ico	msiexec.exe
File created	C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\tapctl_create.ico	msiexec.exe
File created	C:\Windows\Cursors\WUDFhosts.exe	22.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6d0780.msi	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\tapctl_create.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37A1.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIDAD.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\AppCompat\Programs\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	3.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7465.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74F3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\6d0781.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6d0781.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C81.tmp	msiexec.exe
File created	C:\Windows\Help\Winlogon.exe	22.exe
File created	C:\Windows\Help\active_desktop_render.dll	22.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\openvpn.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7425.tmp	msiexec.exe
File created	C:\Windows\AppCompat\Programs\spoolsv.exe	3.exe
File opened for modification	C:\Windows\Installer\6d0780.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI154D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1781.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI15AB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI81BA.tmp	msiexec.exe
File created	C:\Windows\Installer\6d0783.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3000 2140 WerFault.exe HD____11.19.exe
2856 1716 WerFault.exe Dcvxaamev.exe

pid	pid_target	process	target process
3000	2140	WerFault.exe	HD____11.19.exe
2856	1716	WerFault.exe	Dcvxaamev.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2688	schtasks.exe
2892	schtasks.exe
968	schtasks.exe
2132	schtasks.exe
2184	schtasks.exe
2424	schtasks.exe
548	schtasks.exe
2968	schtasks.exe
1960	schtasks.exe
2112	schtasks.exe
2888	schtasks.exe
2952	schtasks.exe
2768	schtasks.exe
2228	schtasks.exe
2552	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Downloads.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main Downloads.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	Downloads.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exenetsh.exerundll32.exeDrvInst.exeDrvInst.exerundll32.exeDrvInst.exeDrvInst.exeMsiExec.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000070c11366e7e7d801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000f0461d66e7e7d801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000050a81f66e7e7d801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 55 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "import"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe\" --pause-exit --config \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.GUI.OnLogon = "OpenVPN.GUI"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\Drivers	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open\command\ = "\"notepad.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\Drivers.Wintun = "Drivers"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.Documentation = "OpenVPN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.Service = "\x06OpenVPN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\" --command import \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\EasyRSA = "\x06OpenSSL"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\PackageName = "OpenVPN-2.5.7-I602-amd64 (1).msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72\B752B75C29D30CA4F88ED7F68FA1FE37	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\Drivers.TAPWindows6 = "Drivers"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\ProductName = "OpenVPN 2.5.7-I602 amd64"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\run\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\ProductIcon = "C:\\Windows\\Installer\\{C57B257B-3D92-4AC0-8FE8-7D6FF81AEF73}\\openvpn.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\PackageCode = "5E0DAF39EF8374D4AB3A9261238AF38B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\run\ = "Start OpenVPN on this config file"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\ = "Import into OpenVPN-GUI"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\Version = "33882148"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ovpn\ = "OpenVPNFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\ = "OpenVPN Config File"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.GUI = "OpenVPN"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\68FDB164983D1744FB639908B6461C72	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ovpn	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\res\\ovpn.ico,0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B752B75C29D30CA4F88ED7F68FA1FE37\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenSSL = "\x06"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37\OpenVPN.SampleCfg = "OpenVPN"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B752B75C29D30CA4F88ED7F68FA1FE37	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1100 PING.EXE

pid	process
1100	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeb6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe___11.19.exeOpus.exe3.exemediaget.exe

pid	process
584	msiexec.exe
584	msiexec.exe
1760	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
1760	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
2020	___11.19.exe
1360
1360
1360
1568	Opus.exe
1568	Opus.exe
1568	Opus.exe
1360
1360
1360
1360
1360
1360
432	3.exe
1360
1360
1360
1360
936	mediaget.exe
936	mediaget.exe
936	mediaget.exe
1360
1360
936	mediaget.exe
936	mediaget.exe
936	mediaget.exe
1360
936	mediaget.exe
936	mediaget.exe
936	mediaget.exe
1360
936	mediaget.exe
936	mediaget.exe
936	mediaget.exe
1360
936	mediaget.exe
936	mediaget.exe
936	mediaget.exe
1360
936	mediaget.exe
936	mediaget.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1748 TXPlatforn.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exeDcvxaamev.exe8f1c8b40c7be588389a8d382040b23bb.exe

pid process

1760 b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
1052 Dcvxaamev.exe
1464 8f1c8b40c7be588389a8d382040b23bb.exe

pid	process
1748	TXPlatforn.exe

pid	process
1760	b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
1052	Dcvxaamev.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	584	msiexec.exe
Token: SeTakeOwnershipPrivilege	584	msiexec.exe
Token: SeSecurityPrivilege	584	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe
Token: SeAuditPrivilege	2012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2012	msiexec.exe
Token: SeChangeNotifyPrivilege	2012	msiexec.exe
Token: SeRemoteShutdownPrivilege	2012	msiexec.exe
Token: SeUndockPrivilege	2012	msiexec.exe
Token: SeSyncAgentPrivilege	2012	msiexec.exe
Token: SeEnableDelegationPrivilege	2012	msiexec.exe
Token: SeManageVolumePrivilege	2012	msiexec.exe
Token: SeImpersonatePrivilege	2012	msiexec.exe
Token: SeCreateGlobalPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2012	msiexec.exe
Token: SeLockMemoryPrivilege	2012	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2012	msiexec.exe
Token: SeMachineAccountPrivilege	2012	msiexec.exe
Token: SeTcbPrivilege	2012	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeLoadDriverPrivilege	2012	msiexec.exe
Token: SeSystemProfilePrivilege	2012	msiexec.exe
Token: SeSystemtimePrivilege	2012	msiexec.exe
Token: SeProfSingleProcessPrivilege	2012	msiexec.exe
Token: SeIncBasePriorityPrivilege	2012	msiexec.exe
Token: SeCreatePagefilePrivilege	2012	msiexec.exe
Token: SeCreatePermanentPrivilege	2012	msiexec.exe
Token: SeBackupPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeShutdownPrivilege	2012	msiexec.exe
Token: SeDebugPrivilege	2012	msiexec.exe
Token: SeAuditPrivilege	2012	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2012	msiexec.exe
Token: SeChangeNotifyPrivilege	2012	msiexec.exe
Token: SeRemoteShutdownPrivilege	2012	msiexec.exe
Token: SeUndockPrivilege	2012	msiexec.exe
Token: SeSyncAgentPrivilege	2012	msiexec.exe
Token: SeEnableDelegationPrivilege	2012	msiexec.exe
Token: SeManageVolumePrivilege	2012	msiexec.exe
Token: SeImpersonatePrivilege	2012	msiexec.exe
Token: SeCreateGlobalPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeopenvpn-gui.exe

pid process

2012 msiexec.exe
2012 msiexec.exe
1948 openvpn-gui.exe
1948 openvpn-gui.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

openvpn-gui.exe

pid process

1948 openvpn-gui.exe
1948 openvpn-gui.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Downloads.exe___11.19.exe8f1c8b40c7be588389a8d382040b23bb.exeDcvxaamev.exe22.exe

pid process

1104 Downloads.exe
1104 Downloads.exe
2020 ___11.19.exe
2020 ___11.19.exe
1464 8f1c8b40c7be588389a8d382040b23bb.exe
1052 Dcvxaamev.exe
960 22.exe

pid	process
2012	msiexec.exe
2012	msiexec.exe
1948	openvpn-gui.exe
1948	openvpn-gui.exe

pid	process
1948	openvpn-gui.exe
1948	openvpn-gui.exe

pid	process
1104	Downloads.exe
1104	Downloads.exe
2020	___11.19.exe
2020	___11.19.exe
1464	8f1c8b40c7be588389a8d382040b23bb.exe
1052	Dcvxaamev.exe
960	22.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeDrvInst.exeDrvInst.exeMsiExec.exeMsiExec.exeopenvpn-gui.exeRIP_YOUR_PC_LOL.exehealastounding.exe

description	pid	process	target process
PID 584 wrote to memory of 1684	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1684	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1684	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1684	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1684	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1652	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1652	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1652	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1652	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1652	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1368	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1368	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1368	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1368	584	msiexec.exe	MsiExec.exe
PID 584 wrote to memory of 1368	584	msiexec.exe	MsiExec.exe
PID 1072 wrote to memory of 1540	1072	DrvInst.exe	rundll32.exe
PID 1072 wrote to memory of 1540	1072	DrvInst.exe	rundll32.exe
PID 1072 wrote to memory of 1540	1072	DrvInst.exe	rundll32.exe
PID 2024 wrote to memory of 1608	2024	DrvInst.exe	rundll32.exe
PID 2024 wrote to memory of 1608	2024	DrvInst.exe	rundll32.exe
PID 2024 wrote to memory of 1608	2024	DrvInst.exe	rundll32.exe
PID 1368 wrote to memory of 1900	1368	MsiExec.exe	netsh.exe
PID 1368 wrote to memory of 1900	1368	MsiExec.exe	netsh.exe
PID 1368 wrote to memory of 1900	1368	MsiExec.exe	netsh.exe
PID 1368 wrote to memory of 516	1368	MsiExec.exe	netsh.exe
PID 1368 wrote to memory of 516	1368	MsiExec.exe	netsh.exe
PID 1368 wrote to memory of 516	1368	MsiExec.exe	netsh.exe
PID 1684 wrote to memory of 1948	1684	MsiExec.exe	openvpn-gui.exe
PID 1684 wrote to memory of 1948	1684	MsiExec.exe	openvpn-gui.exe
PID 1684 wrote to memory of 1948	1684	MsiExec.exe	openvpn-gui.exe
PID 1948 wrote to memory of 268	1948	openvpn-gui.exe	openvpn.exe
PID 1948 wrote to memory of 268	1948	openvpn-gui.exe	openvpn.exe
PID 1948 wrote to memory of 268	1948	openvpn-gui.exe	openvpn.exe
PID 1360 wrote to memory of 1320	1360		RIP_YOUR_PC_LOL.exe
PID 1360 wrote to memory of 1320	1360		RIP_YOUR_PC_LOL.exe
PID 1360 wrote to memory of 1320	1360		RIP_YOUR_PC_LOL.exe
PID 1360 wrote to memory of 1320	1360		RIP_YOUR_PC_LOL.exe
PID 1320 wrote to memory of 1520	1320	RIP_YOUR_PC_LOL.exe	healastounding.exe
PID 1320 wrote to memory of 1520	1320	RIP_YOUR_PC_LOL.exe	healastounding.exe
PID 1320 wrote to memory of 1520	1320	RIP_YOUR_PC_LOL.exe	healastounding.exe
PID 1320 wrote to memory of 1520	1320	RIP_YOUR_PC_LOL.exe	healastounding.exe
PID 1320 wrote to memory of 556	1320	RIP_YOUR_PC_LOL.exe	Pluto Panel.exe
PID 1320 wrote to memory of 556	1320	RIP_YOUR_PC_LOL.exe	Pluto Panel.exe
PID 1320 wrote to memory of 556	1320	RIP_YOUR_PC_LOL.exe	Pluto Panel.exe
PID 1320 wrote to memory of 556	1320	RIP_YOUR_PC_LOL.exe	Pluto Panel.exe
PID 1320 wrote to memory of 1184	1320	RIP_YOUR_PC_LOL.exe	0fd7de5367376231a788872005d7ed4f.exe
PID 1320 wrote to memory of 1184	1320	RIP_YOUR_PC_LOL.exe	0fd7de5367376231a788872005d7ed4f.exe
PID 1320 wrote to memory of 1184	1320	RIP_YOUR_PC_LOL.exe	0fd7de5367376231a788872005d7ed4f.exe
PID 1320 wrote to memory of 1184	1320	RIP_YOUR_PC_LOL.exe	0fd7de5367376231a788872005d7ed4f.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1320 wrote to memory of 960	1320	RIP_YOUR_PC_LOL.exe	22.exe
PID 1520 wrote to memory of 1604	1520	healastounding.exe	test.exe
PID 1520 wrote to memory of 1604	1520	healastounding.exe	test.exe
PID 1520 wrote to memory of 1604	1520	healastounding.exe	test.exe
PID 1520 wrote to memory of 1604	1520	healastounding.exe	test.exe
PID 1520 wrote to memory of 1612	1520	healastounding.exe	gay.exe
PID 1520 wrote to memory of 1612	1520	healastounding.exe	gay.exe
PID 1520 wrote to memory of 1612	1520	healastounding.exe	gay.exe
PID 1520 wrote to memory of 1612	1520	healastounding.exe	gay.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

Processes:

3.exe3.exeOpus.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Opus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Opus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Opus.exe

outlook_win_path 1 IoCs

Processes:

aaa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aaa.exe

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\OpenVPN-2.5.7-I602-amd64 (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 05B67D18F5DC745F86479FBA27536E1C C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files\OpenVPN\bin\openvpn-gui.exe
"C:\Program Files\OpenVPN\bin\openvpn-gui.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files\OpenVPN\bin\openvpn.exe
openvpn --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 8E9812B685C46ACE038115CAD0A4C00E
2⤵
- Loads dropped DLL
PID:1652

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 22B734F1894817DF29C1DBFAA1C2E831 M Global\MSI0000
2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\netsh.exe
netsh interface set interface name="Local Area Connection 2" newname="OpenVPN Wintun"
3⤵
- Modifies data under HKEY_USERS
PID:1900

C:\Windows\system32\netsh.exe
netsh interface set interface name="Local Area Connection 2" newname="OpenVPN TAP-Windows6"
3⤵
PID:516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1348

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000568" "000000000000032C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1596

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6b22850e-7c35-7017-357c-17709bdc2a6f}\wintun.inf" "9" "65109ab53" "000000000000032C" "WinSta0\Default" "0000000000000568" "208" "C:\Windows\Temp\de46534946d5613aa598c892a26a4182e94cd8b2dd3a6b923b7dde9c2b4b5c22"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2bec2ae7-e0b1-26f9-d6c8-9c2f82a6f34a} Global\{2f2d8b98-d59b-6a85-20e8-477fcc11540e} C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.inf C:\Windows\System32\DriverStore\Temp\{5b7ba0ff-770a-73ce-5454-fb706a536676}\wintun.cat
2⤵
- Modifies data under HKEY_USERS
PID:1540

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7104eb05-f44a-12d6-05eb-0471b794c41e}\OemVista.inf" "9" "68a913dff" "0000000000000568" "WinSta0\Default" "00000000000004A4" "208" "C:\Windows\Temp\1571a9adb2f64dcfff8b210f1870edb801825b3a54267cb0b9bd88abba8f1a60"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2bc51c5d-22f9-4e08-e2af-570ffb6a4c78} Global\{41fae03e-d645-7b76-dd27-bb6458cf5a18} C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\OemVista.inf C:\Windows\System32\DriverStore\Temp\{424c47e5-414c-17a2-f767-4500a0f1a256}\tap0901.cat
2⤵
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "wintun.inf:Wintun.NTamd64:Wintun.Install:0.8.0.0:wintun" "62b53aaff" "0000000000000330" "000000000000058C" "000000000000054C"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1960

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0001" "C:\Windows\INF\oem3.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:root\tap0901" "633338203" "00000000000002A8" "0000000000000330" "00000000000004C0"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1896

C:\Program Files\OpenVPN\bin\openvpnserv.exe
"C:\Program Files\OpenVPN\bin\openvpnserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900

C:\Program Files\OpenVPN\bin\openvpn-gui.exe
"C:\Program Files\OpenVPN\bin\openvpn-gui.exe" --command import "C:\Users\Admin\Desktop\Russia-udp.ovpn"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008

C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe
"C:\Users\Admin\Desktop\b6f8463e125e6e761bbda7c5f570c785bc7000fd428fad3deebe88ed75fcb7ae.exe"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1760

C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\Desktop\RIP_YOUR_PC_LOL.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Roaming\healastounding.exe
"C:\Users\Admin\AppData\Roaming\healastounding.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Roaming\test.exe
"C:\Users\Admin\AppData\Roaming\test.exe"
3⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Roaming\gay.exe
"C:\Users\Admin\AppData\Roaming\gay.exe"
3⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Roaming\mediaget.exe
"C:\Users\Admin\AppData\Roaming\mediaget.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:936

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2500

C:\Users\Admin\AppData\Roaming\Opus.exe
"C:\Users\Admin\AppData\Roaming\Opus.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1872.tmp"
4⤵
- Creates scheduled task(s)
PID:548

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2E91.tmp"
4⤵
- Creates scheduled task(s)
PID:2112

C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632

C:\Users\Admin\AppData\Roaming\aaa.exe
"C:\Users\Admin\AppData\Roaming\aaa.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8162955.bat" "C:\Users\Admin\AppData\Roaming\aaa.exe" "
5⤵
PID:2808

C:\Users\Admin\AppData\Roaming\4.exe
"C:\Users\Admin\AppData\Roaming\4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:432

C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- System policy modification
PID:2112

C:\Users\Admin\AppData\Roaming\test\Opus.exe
"C:\Users\Admin\AppData\Roaming\test\Opus.exe"
6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System policy modification
PID:3016

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe
"C:\Users\Admin\AppData\Local\Temp\Dcvxaamev.exe"
5⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 848
6⤵
- Program crash
PID:2856

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe
"C:\Users\Admin\AppData\Local\Temp\FFDvbcrdfqs.exe"
5⤵
- Executes dropped EXE
PID:520

C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
"C:\Users\Admin\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
4⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1236

C:\Users\Admin\AppData\Roaming\Pluto Panel.exe
"C:\Users\Admin\AppData\Roaming\Pluto Panel.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
- Accesses Microsoft Outlook accounts
PID:2592

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:1916

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1184

C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
"C:\Users\Admin\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
3⤵
- Executes dropped EXE
PID:1712

C:\Users\Admin\AppData\Roaming\22.exe
"C:\Users\Admin\AppData\Roaming\22.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:960

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=Block
3⤵
PID:1760

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=Filter1
3⤵
PID:2488

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
3⤵
PID:2640

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
3⤵
PID:2784

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
3⤵
PID:2844

C:\Users\Admin\AppData\Roaming\___11.19.exe
"C:\Users\Admin\AppData\Roaming\___11.19.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
4⤵
PID:2008

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
5⤵
- Runs ping.exe
PID:1100

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
3⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
PID:828

C:\Users\Admin\AppData\Roaming\HD____11.19.exe
C:\Users\Admin\AppData\Roaming\HD____11.19.exe
3⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 324
4⤵
- Program crash
PID:3000

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:1748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Drops file in System32 directory
PID:1744

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\8134594.txt",MainThread
2⤵
- Executes dropped EXE
PID:2300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\wshirda\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aaa" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Opus\aaa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "openvpn-gui" /sc ONLOGON /tr "'C:\Recovery\31001cc2-2a3d-11ed-9244-9c23e66b04e4\openvpn-gui.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\DisableDismount\a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "openvpnserv" /sc ONLOGON /tr "'C:\Program Files\OpenVPN\bin\libpkcs11-helper-1\openvpnserv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0fd7de5367376231a788872005d7ed4f" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\pid\0fd7de5367376231a788872005d7ed4f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Opus" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\test\Opus.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "openvpn-gui" /sc ONLOGON /tr "'C:\Program Files\OpenVPN\bin\openvpnserv\openvpn-gui.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\jnwmon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "160340192818797396851470131155-7780651571704574106-19396846661932494448-430395747"
1⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Ö÷¶¯·ÀÓù·þÎñÄ£¿é" /sc ONLOGON /tr "'C:\Windows\SysWOW64\extrac32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\KBDSP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery