glupteba | a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	6dn6cA1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6dn6cA1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6dn6cA1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6dn6cA1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6dn6cA1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6dn6cA1.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/1812-36-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000a000000022e13-236.dat	family_redline
behavioral1/files/0x000a000000022e13-237.dat	family_redline
behavioral1/memory/2844-517-0x0000000000530000-0x000000000056C000-memory.dmp	family_redline
behavioral1/files/0x0009000000022e2d-527.dat	family_redline
behavioral1/files/0x0009000000022e2d-526.dat	family_redline
behavioral1/memory/3964-576-0x0000000000470000-0x00000000004CA000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000022e13-236.dat	family_sectoprat
behavioral1/files/0x000a000000022e13-237.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
1444	netsh.exe

.NET Reactor proctector 20 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3356-68-0x0000000002280000-0x00000000022A0000-memory.dmp	net_reactor
behavioral1/memory/3356-70-0x0000000004A90000-0x0000000004AA0000-memory.dmp	net_reactor
behavioral1/memory/3356-72-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor
behavioral1/memory/3356-73-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-74-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-76-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-78-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-80-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-82-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-84-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-86-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-88-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-90-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-92-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-94-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-96-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-98-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-100-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-102-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/3356-104-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	D397.exe

Executes dropped EXE 15 IoCs

pid	Process
2680	Jk5Bl98.exe
3504	En5ZU04.exe
3660	ym5Be54.exe
2120	2Op4952.exe
2444	3Nk48WN.exe
3584	4od163Ad.exe
3540	5Ix2uY8.exe
3356	6dn6cA1.exe
2212	D397.exe
4760	InstallSetup5.exe
3360	toolspub2.exe
380	31839b57a4f11171d6abc8bbc4451ee4.exe
3264	Broom.exe
3036	toolspub2.exe
4908	31839b57a4f11171d6abc8bbc4451ee4.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000022e4d-3180.dat	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6dn6cA1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6dn6cA1.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	En5ZU04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ym5Be54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jk5Bl98.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2120 set thread context of 60	2120	2Op4952.exe	104
PID 2444 set thread context of 1812	2444	3Nk48WN.exe	110
PID 3584 set thread context of 1744	3584	4od163Ad.exe	120
PID 3360 set thread context of 3036	3360	toolspub2.exe	129

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe
4852	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3880	60	WerFault.exe	104
2756	3964	WerFault.exe	153
4324	4188	WerFault.exe	152

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Ix2uY8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Ix2uY8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Ix2uY8.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3960	schtasks.exe
1624	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3540	5Ix2uY8.exe
3540	5Ix2uY8.exe
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3356	6dn6cA1.exe
3356	6dn6cA1.exe
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found
3384	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3540	5Ix2uY8.exe
3036	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	6dn6cA1.exe
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeShutdownPrivilege	3384	Process not Found
Token: SeCreatePagefilePrivilege	3384	Process not Found
Token: SeDebugPrivilege	380	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	380	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3264	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 2680	3952	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe	86
PID 3952 wrote to memory of 2680	3952	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe	86
PID 3952 wrote to memory of 2680	3952	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe	86
PID 2680 wrote to memory of 3504	2680	Jk5Bl98.exe	87
PID 2680 wrote to memory of 3504	2680	Jk5Bl98.exe	87
PID 2680 wrote to memory of 3504	2680	Jk5Bl98.exe	87
PID 3504 wrote to memory of 3660	3504	En5ZU04.exe	88
PID 3504 wrote to memory of 3660	3504	En5ZU04.exe	88
PID 3504 wrote to memory of 3660	3504	En5ZU04.exe	88
PID 3660 wrote to memory of 2120	3660	ym5Be54.exe	89
PID 3660 wrote to memory of 2120	3660	ym5Be54.exe	89
PID 3660 wrote to memory of 2120	3660	ym5Be54.exe	89
PID 2120 wrote to memory of 3964	2120	2Op4952.exe	103
PID 2120 wrote to memory of 3964	2120	2Op4952.exe	103
PID 2120 wrote to memory of 3964	2120	2Op4952.exe	103
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 2120 wrote to memory of 60	2120	2Op4952.exe	104
PID 3660 wrote to memory of 2444	3660	ym5Be54.exe	105
PID 3660 wrote to memory of 2444	3660	ym5Be54.exe	105
PID 3660 wrote to memory of 2444	3660	ym5Be54.exe	105
PID 2444 wrote to memory of 2220	2444	3Nk48WN.exe	109
PID 2444 wrote to memory of 2220	2444	3Nk48WN.exe	109
PID 2444 wrote to memory of 2220	2444	3Nk48WN.exe	109
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 2444 wrote to memory of 1812	2444	3Nk48WN.exe	110
PID 3504 wrote to memory of 3584	3504	En5ZU04.exe	111
PID 3504 wrote to memory of 3584	3504	En5ZU04.exe	111
PID 3504 wrote to memory of 3584	3504	En5ZU04.exe	111
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 3584 wrote to memory of 1744	3584	4od163Ad.exe	120
PID 2680 wrote to memory of 3540	2680	Jk5Bl98.exe	121
PID 2680 wrote to memory of 3540	2680	Jk5Bl98.exe	121
PID 2680 wrote to memory of 3540	2680	Jk5Bl98.exe	121
PID 3952 wrote to memory of 3356	3952	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe	122
PID 3952 wrote to memory of 3356	3952	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe	122
PID 3952 wrote to memory of 3356	3952	a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe	122
PID 3384 wrote to memory of 2212	3384	Process not Found	123
PID 3384 wrote to memory of 2212	3384	Process not Found	123
PID 3384 wrote to memory of 2212	3384	Process not Found	123
PID 2212 wrote to memory of 4760	2212	D397.exe	125
PID 2212 wrote to memory of 4760	2212	D397.exe	125
PID 2212 wrote to memory of 4760	2212	D397.exe	125
PID 2212 wrote to memory of 3360	2212	D397.exe	126

C:\Users\Admin\AppData\Local\Temp\a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe
"C:\Users\Admin\AppData\Local\Temp\a1e49be724886eb08dbba45b4b19cbc5ce6a0cc79ba35bc6d7cdd6cf00178fdc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk5Bl98.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk5Bl98.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En5ZU04.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\En5ZU04.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ym5Be54.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ym5Be54.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Op4952.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Op4952.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2120
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:60
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 540
        7⤵
        Program crash
        
        PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Nk48WN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Nk48WN.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2220
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4od163Ad.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4od163Ad.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1744
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Ix2uY8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Ix2uY8.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dn6cA1.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6dn6cA1.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 60 -ip 60
1⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\D397.exe
C:\Users\Admin\AppData\Local\Temp\D397.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  PID:4760
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3264
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:3036
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:964
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:1444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1168
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:4064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3176
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:3960
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:4764
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1624
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:880
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:3804
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4852

C:\Users\Admin\AppData\Local\Temp\2283.exe
C:\Users\Admin\AppData\Local\Temp\2283.exe
1⤵
PID:3652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:2844

C:\Users\Admin\AppData\Local\Temp\25C0.exe
C:\Users\Admin\AppData\Local\Temp\25C0.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\628C.exe
C:\Users\Admin\AppData\Local\Temp\628C.exe
1⤵
PID:4784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:2372

C:\Users\Admin\AppData\Local\Temp\6675.exe
C:\Users\Admin\AppData\Local\Temp\6675.exe
1⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\72CA.exe
C:\Users\Admin\AppData\Local\Temp\72CA.exe
1⤵
PID:4188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1176
  2⤵
  - Program crash
  PID:4324

C:\Users\Admin\AppData\Local\Temp\7423.exe
C:\Users\Admin\AppData\Local\Temp\7423.exe
1⤵
PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 784
  2⤵
  - Program crash
  PID:2756

C:\Users\Admin\AppData\Local\Temp\7702.exe
C:\Users\Admin\AppData\Local\Temp\7702.exe
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3964 -ip 3964
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4188 -ip 4188
1⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:3696

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry