amadey | b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	517A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	517A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	517A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	517A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	517A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000231f6-215.dat	family_redline
behavioral2/files/0x000c0000000231f6-216.dat	family_redline
behavioral2/memory/2328-220-0x0000000000EE0000-0x0000000000F1E000-memory.dmp	family_redline
behavioral2/files/0x000600000002325d-452.dat	family_redline
behavioral2/memory/4240-471-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	842A.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools	842A.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

Windows Service

pid	Process
1524	netsh.exe

.NET Reactor proctector 18 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/2656-470-0x00000000020F0000-0x0000000002110000-memory.dmp	net_reactor
behavioral2/memory/2656-476-0x0000000002630000-0x000000000264E000-memory.dmp	net_reactor
behavioral2/memory/2656-479-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-480-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-483-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-485-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-488-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-490-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-492-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-494-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-496-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-501-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-504-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-506-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-509-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-511-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-515-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor
behavioral2/memory/2656-517-0x0000000002630000-0x0000000002648000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	842A.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	w6385989.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	75E1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	5CC9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	t3628529.exe
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 55 IoCs

pid	Process
3232	z4420781.exe
4532	z9846316.exe
4776	z6971971.exe
852	z4170220.exe
1468	q4513160.exe
2068	r2014171.exe
4816	s8847273.exe
2400	t3628529.exe
2232	explonde.exe
1648	u6562103.exe
2176	sus.exe
1468	foto2552.exe
4728	w6385989.exe
3536	PY7xi2EX.exe
2196	Gq5LF2NL.exe
2284	GL2UB3gT.exe
1436	Er1Jb6pC.exe
4964	legota.exe
1552	1fJ09tq5.exe
2168	nalo.exe
2328	2gA840Qk.exe
2544	socks.exe
2112	tvqccq.exe
3032	4CB4.exe
4920	4D61.exe
560	MU0Vk9th.exe
1152	Kg5JV7VZ.exe
3900	hr3Gd1wJ.exe
4856	wO2jM2dA.exe
1832	1mP48Ne7.exe
2332	5051.exe
2656	517A.exe
852	5341.exe
2152	2oA114KX.exe
4204	5804.exe
3752	5A96.exe
4064	5CC9.exe
5320	6352.exe
1400	75E1.exe
5396	legota.exe
5564	31839b57a4f11171d6abc8bbc4451ee4.exe
1052	Conhost.exe
6572	oneetx.exe
6980	Conhost.exe
5652	explonde.exe
6292	842A.exe
6828	31839b57a4f11171d6abc8bbc4451ee4.exe
5836	csrss.exe
6916	injector.exe
3916	windefender.exe
3300	windefender.exe
6868	tvqccq.exe
6292	legota.exe
1848	explonde.exe
5720	oneetx.exe

Loads dropped DLL 4 IoCs

pid	Process
4204	5804.exe
4204	5804.exe
3360	rundll32.exe
5868	rundll32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	517A.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4420781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	foto2552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	Gq5LF2NL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	MU0Vk9th.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	hr3Gd1wJ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe"	explonde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GL2UB3gT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	Er1Jb6pC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe"	legota.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4CB4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\""	wO2jM2dA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9846316.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6971971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	PY7xi2EX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe"	explonde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4170220.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe"	explonde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	Kg5JV7VZ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	ipinfo.io
156	ipinfo.io

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	842A.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	842A.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 1468 set thread context of 1752	1468	q4513160.exe	101
PID 2068 set thread context of 2856	2068	r2014171.exe	106
PID 4816 set thread context of 4240	4816	s8847273.exe	113
PID 1648 set thread context of 3392	1648	Process not Found	132
PID 2176 set thread context of 2516	2176	sus.exe	137
PID 2168 set thread context of 3636	2168	nalo.exe	155
PID 1552 set thread context of 1400	1552	1fJ09tq5.exe	158
PID 4920 set thread context of 1948	4920	4D61.exe	202
PID 1832 set thread context of 4124	1832	1mP48Ne7.exe	207
PID 2332 set thread context of 4240	2332	5051.exe	211
PID 5320 set thread context of 5668	5320	6352.exe	238
PID 6980 set thread context of 6292	6980	Conhost.exe	264

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\tvqccq.job	socks.exe
File opened for modification	C:\Windows\Tasks\tvqccq.job	socks.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2848	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
3756	4536	WerFault.exe	82
3252	1468	WerFault.exe	99
3532	2068	WerFault.exe	104
1804	2856	WerFault.exe	106
1548	4816	WerFault.exe	111
452	1648	WerFault.exe	118
1296	2176	WerFault.exe	134
2920	2168	WerFault.exe	144
3648	1552	WerFault.exe	146
3672	3636	WerFault.exe	155
1832	1400	WerFault.exe	158
440	4920	WerFault.exe	192
640	1832	WerFault.exe	199
1936	4124	WerFault.exe	207
4064	2332	WerFault.exe	205
5204	4204	WerFault.exe	220

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	842A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3812	schtasks.exe
4548	schtasks.exe
6796	schtasks.exe
3144	schtasks.exe
6384	schtasks.exe

Enumerates system info in registry 2 TTPs 17 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	842A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\BIOS	842A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation	842A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	842A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 30 IoCs

pid	Process
6452	taskkill.exe
4548	taskkill.exe
1688	taskkill.exe
5872	taskkill.exe
5988	taskkill.exe
4420	taskkill.exe
6444	taskkill.exe
5432	taskkill.exe
5588	taskkill.exe
5876	taskkill.exe
6020	taskkill.exe
6380	taskkill.exe
6296	taskkill.exe
1184	taskkill.exe
6316	taskkill.exe
6000	taskkill.exe
4216	taskkill.exe
1148	taskkill.exe
6100	taskkill.exe
6860	taskkill.exe
6208	taskkill.exe
6996	taskkill.exe
6200	taskkill.exe
1336	taskkill.exe
6160	taskkill.exe
6464	taskkill.exe
5148	taskkill.exe
4236	taskkill.exe
6972	taskkill.exe
5356	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2609025996"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404192615"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C6358D11-6BD5-11EE-941E-CE3E7C77A9B8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad356000000000020000000000106600000001000020000000baca9472d60f084722f95f4f0af82bd828bb9c2c10513e838fb2a070fd8a8273000000000e8000000002000020000000f8298e181bd2ed1d47ce53d058ef0a28aa9bf338bbfbd3b61aa1619236b338b2200000001058679f81854db24c029ae3bf06b527cd0e7f57aa9ffe2bb510949925d75aed4000000017798a1a0e57acdf9c18489ff51f4daf548030e10de167dbb9ca9e2ca0b67877161403c9357a0c40ebcd0c6e87a280c25b5d836d9809d03c36345328845be13f	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2598835866"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064034"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2598835866"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31064034"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2095da9de2ffd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad3560000000000200000000001066000000010000200000003dbe0efb9b8af0e7368025fd9c9875cdcf36bd6df59aa2512d7085ea6b599139000000000e8000000002000020000000180ac98cff13af23bcb523a02058f84621049a725b5e8fb30668f7fd64bfcddf2000000069778e7634f8e6ef7a97ac9f37dc33303cdb2a98ed18be902e2becf82bad0044400000009b4641421eb3f813405d64841b70b8c88dcf8c5ee73783f83232838a14931daa070bb87b5fef540f431ec87812e26151a8eb994ad5e737e02f71e7a1118c2f93	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02f019ee2ffd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064034"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-919254492-3979293997-764407192-1000\{D8998E84-17A7-46DD-AE2F-C03CA5E167D2}	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	842A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	842A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	842A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	AppLaunch.exe
1752	AppLaunch.exe
4240	AppLaunch.exe
4240	AppLaunch.exe
4956	powershell.exe
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
4956	powershell.exe
4956	powershell.exe
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found
3148	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4240	AppLaunch.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	AppLaunch.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	3148	Process not Found
Token: SeCreatePagefilePrivilege	3148	Process not Found
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe
Token: SeShutdownPrivilege	4280	chrome.exe
Token: SeCreatePagefilePrivilege	4280	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
2228	iexplore.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
1052	Conhost.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
4280	chrome.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe
5528	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2228	iexplore.exe
2228	iexplore.exe
1172	IEXPLORE.EXE
1172	IEXPLORE.EXE
1172	IEXPLORE.EXE
1172	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3148	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4536 wrote to memory of 4748	4536	b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe	89
PID 4748 wrote to memory of 3232	4748	AppLaunch.exe	94
PID 4748 wrote to memory of 3232	4748	AppLaunch.exe	94
PID 4748 wrote to memory of 3232	4748	AppLaunch.exe	94
PID 3232 wrote to memory of 4532	3232	z4420781.exe	96
PID 3232 wrote to memory of 4532	3232	z4420781.exe	96
PID 3232 wrote to memory of 4532	3232	z4420781.exe	96
PID 4532 wrote to memory of 4776	4532	z9846316.exe	97
PID 4532 wrote to memory of 4776	4532	z9846316.exe	97
PID 4532 wrote to memory of 4776	4532	z9846316.exe	97
PID 4776 wrote to memory of 852	4776	z6971971.exe	98
PID 4776 wrote to memory of 852	4776	z6971971.exe	98
PID 4776 wrote to memory of 852	4776	z6971971.exe	98
PID 852 wrote to memory of 1468	852	z4170220.exe	99
PID 852 wrote to memory of 1468	852	z4170220.exe	99
PID 852 wrote to memory of 1468	852	z4170220.exe	99
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 1468 wrote to memory of 1752	1468	q4513160.exe	101
PID 852 wrote to memory of 2068	852	z4170220.exe	104
PID 852 wrote to memory of 2068	852	z4170220.exe	104
PID 852 wrote to memory of 2068	852	z4170220.exe	104
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 2068 wrote to memory of 2856	2068	r2014171.exe	106
PID 4776 wrote to memory of 4816	4776	z6971971.exe	111
PID 4776 wrote to memory of 4816	4776	z6971971.exe	111
PID 4776 wrote to memory of 4816	4776	z6971971.exe	111
PID 4816 wrote to memory of 4240	4816	s8847273.exe	113
PID 4816 wrote to memory of 4240	4816	s8847273.exe	113
PID 4816 wrote to memory of 4240	4816	s8847273.exe	113
PID 4816 wrote to memory of 4240	4816	s8847273.exe	113
PID 4816 wrote to memory of 4240	4816	s8847273.exe	113
PID 4816 wrote to memory of 4240	4816	s8847273.exe	113
PID 4532 wrote to memory of 2400	4532	z9846316.exe	116
PID 4532 wrote to memory of 2400	4532	z9846316.exe	116
PID 4532 wrote to memory of 2400	4532	z9846316.exe	116
PID 2400 wrote to memory of 2232	2400	t3628529.exe	117
PID 2400 wrote to memory of 2232	2400	t3628529.exe	117
PID 2400 wrote to memory of 2232	2400	t3628529.exe	117
PID 3232 wrote to memory of 1648	3232	z4420781.exe	118
PID 3232 wrote to memory of 1648	3232	z4420781.exe	118
PID 3232 wrote to memory of 1648	3232	z4420781.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe
"C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - DcRat
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4776
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 136
        8⤵
        Program crash
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 212
        9⤵
        Program crash
        
        PID:1804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 140
        8⤵
        Program crash
        
        PID:3532
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 572
        7⤵
        Program crash
        
        PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2232
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        8⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        8⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        8⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:17410 /prefetch:2
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
        8⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4280
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778
        9⤵
        
        PID:3160
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:2
        9⤵
        
        PID:3324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8
        9⤵
        
        PID:648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8
        9⤵
        
        PID:2848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:1
        9⤵
        
        PID:3596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:1
        9⤵
        
        PID:2132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:1
        9⤵
        
        PID:2840
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8
        9⤵
        Modifies registry class
        
        PID:3144
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4852 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8
        9⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 152
        8⤵
        Program crash
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 540
        9⤵
        Program crash
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 136
        8⤵
        Program crash
        
        PID:2920
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe
      4⤵
      Executes dropped EXE
      PID:1648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 148
        5⤵
        Program crash
        
        PID:452
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 296
  2⤵
  - Program crash
  PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4536 -ip 4536
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1468 -ip 1468
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2068 -ip 2068
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2856 -ip 2856
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4816 -ip 4816
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1648 -ip 1648
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2196
- C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 540
        6⤵
        Program crash
        
        PID:1832
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2764
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 588
        5⤵
        Program crash
        
        PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe
      4⤵
      Executes dropped EXE
      PID:2328

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "legota.exe" /P "Admin:N"
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "legota.exe" /P "Admin:R" /E
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\cb378487cf" /P "Admin:N"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\cacls.exe
    CACLS "..\cb378487cf" /P "Admin:R" /E
    3⤵
    PID:852
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
  "C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2544
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2176 -ip 2176
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2168 -ip 2168
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3636 -ip 3636
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1552 -ip 1552
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1400 -ip 1400
1⤵
PID:404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4584

C:\ProgramData\xicidp\tvqccq.exe
C:\ProgramData\xicidp\tvqccq.exe start2
1⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Local\Temp\4CB4.exe
C:\Users\Admin\AppData\Local\Temp\4CB4.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:560
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:3900
    - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 200
        8⤵
        Program crash
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 148
        7⤵
        Program crash
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe
        6⤵
        Executes dropped EXE
        
        PID:2152

C:\Users\Admin\AppData\Local\Temp\4D61.exe
C:\Users\Admin\AppData\Local\Temp\4D61.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 272
  2⤵
  - Program crash
  PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4F17.bat" "
1⤵
PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0xbc,0x7ff9ab4546f8,0x7ff9ab454708,0x7ff9ab454718
    3⤵
    PID:5148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
    3⤵
    PID:5616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
    3⤵
    PID:5760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:5748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
    3⤵
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
    3⤵
    PID:6100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
    3⤵
    PID:6624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:6616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
    3⤵
    PID:7140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
    3⤵
    PID:7128
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
    3⤵
    PID:6876
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
    3⤵
    PID:6872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
  2⤵
  PID:5560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ab4546f8,0x7ff9ab454708,0x7ff9ab454718
    3⤵
    PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4920 -ip 4920
1⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\5051.exe
C:\Users\Admin\AppData\Local\Temp\5051.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 148
  2⤵
  - Program crash
  PID:4064

C:\Users\Admin\AppData\Local\Temp\517A.exe
C:\Users\Admin\AppData\Local\Temp\517A.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832
1⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\5341.exe
C:\Users\Admin\AppData\Local\Temp\5341.exe
1⤵
- Executes dropped EXE
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4124 -ip 4124
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2332 -ip 2332
1⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\5804.exe
C:\Users\Admin\AppData\Local\Temp\5804.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 784
  2⤵
  - Program crash
  PID:5204

C:\Users\Admin\AppData\Local\Temp\5A96.exe
C:\Users\Admin\AppData\Local\Temp\5A96.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\AppData\Local\Temp\5CC9.exe
C:\Users\Admin\AppData\Local\Temp\5CC9.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778
    3⤵
    PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778
    3⤵
    PID:5540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:5880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:2
    3⤵
    PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:6216
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:1
    3⤵
    PID:6324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:1
    3⤵
    PID:6816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:1
    3⤵
    PID:5712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:5476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:5924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:6956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8
    3⤵
    PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4204 -ip 4204
1⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\6352.exe
C:\Users\Admin\AppData\Local\Temp\6352.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:5668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    - Enumerates system info in registry
    PID:492
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778
      4⤵
      PID:6268

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5396

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:5652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\75E1.exe
C:\Users\Admin\AppData\Local\Temp\75E1.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1400
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  PID:5564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:6188
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:6828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:6332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:6052
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:5160
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:6452
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      PID:5836
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:6988
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3144
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:4104
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:7112
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2832
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:6916
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:6384
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:3916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:2848
- C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
  2⤵
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6572
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:6796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
      4⤵
      PID:6820
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:6920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:6912
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:6948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:7068
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        5⤵
        
        PID:7080
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        5⤵
        
        PID:5324

C:\Users\Admin\AppData\Local\Temp\842A.exe
C:\Users\Admin\AppData\Local\Temp\842A.exe
1⤵
PID:6980
- C:\Users\Admin\AppData\Local\Temp\842A.exe
  C:\Users\Admin\AppData\Local\Temp\842A.exe
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies system certificate store
  PID:6292
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c
    3⤵
    PID:6104
- - C:\Windows\system32\runas.exe
    runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\842A.exe
    3⤵
    PID:6860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:5988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:6980
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:6296
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM brave.exe
    3⤵
    - Kills process with taskkill
    PID:6452
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    PID:6200
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Skype.exe
    3⤵
    - Kills process with taskkill
    PID:1148
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:1052
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM browser.exe
    3⤵
    - Kills process with taskkill
    PID:1184
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iridium.exe
    3⤵
    - Kills process with taskkill
    PID:6100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6948
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM uran.exe
    3⤵
    - Kills process with taskkill
    PID:5876
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM epic.exe
    3⤵
    - Kills process with taskkill
    PID:4420
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM vivaldi.exe
    3⤵
    - Kills process with taskkill
    PID:6860
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM sputnik.exe
    3⤵
    - Kills process with taskkill
    PID:5148
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM 7star.exe
    3⤵
    - Kills process with taskkill
    PID:1336
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM centbrowser.exe
    3⤵
    - Kills process with taskkill
    PID:6208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM amigo.exe
    3⤵
    - Kills process with taskkill
    PID:6444
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM torch.exe
    3⤵
    - Kills process with taskkill
    PID:6316
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM kometa.exe
    3⤵
    - Kills process with taskkill
    PID:6020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM orbitum.exe
    3⤵
    - Kills process with taskkill
    PID:4548
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM viber.exe
    3⤵
    - Kills process with taskkill
    PID:4236
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WhatsApp.exe.
    3⤵
    - Kills process with taskkill
    PID:5588
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM monero-wallet-gui.exe
    3⤵
    - Kills process with taskkill
    PID:5432
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM coinomi.exe
    3⤵
    - Kills process with taskkill
    PID:6972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM bitcoin-qt.exe
    3⤵
    - Kills process with taskkill
    PID:5872
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM bytecoinwallet.exe
    3⤵
    - Kills process with taskkill
    PID:6380
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM armoryqt.exe
    3⤵
    - Kills process with taskkill
    PID:6160
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5624
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM atomicwallet.exe
    3⤵
    - Kills process with taskkill
    PID:6464
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM exodus.exe
    3⤵
    - Kills process with taskkill
    PID:1688
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM electrum.exe
    3⤵
    - Kills process with taskkill
    PID:5356
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM dash-qt.exe
    3⤵
    - Kills process with taskkill
    PID:4216
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM litecoin-qt.exe
    3⤵
    - Kills process with taskkill
    PID:6000
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM bitcoin-qt.exe
    3⤵
    - Kills process with taskkill
    PID:6996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:6908

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3300

C:\ProgramData\xicidp\tvqccq.exe
C:\ProgramData\xicidp\tvqccq.exe start2
1⤵
- Executes dropped EXE
PID:6868

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:6292

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:5720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion