glupteba | f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802

Processes:

B73B.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\B73B.exe = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	B73B.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

mi.exeupdater.exe821E.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	821E.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

mi.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts mi.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3040 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	mi.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
3040	netsh.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

821E.exemi.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	821E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	821E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Deletes itself 1 IoCs

Processes:

pid process

3352

pid	process
3352

Executes dropped EXE 15 IoCs

Processes:

6666.exe6955.exe821E.exe8701.exeA21C.exeB73B.exeD350.exeD350.tmpmi.exeB73B.execsrss.exeupdater.exeinjector.exewindefender.exewindefender.exe

pid	process
2408	6666.exe
2688	6955.exe
3664	821E.exe
1532	8701.exe
204	A21C.exe
524	B73B.exe
2532	D350.exe
4820	D350.tmp
4216	mi.exe
4104	B73B.exe
2064	csrss.exe
308	updater.exe
3344	injector.exe
4244	windefender.exe
2864	windefender.exe

Loads dropped DLL 5 IoCs

Processes:

6666.exeregsvr32.exeD350.tmp

pid process

2408 6666.exe
320 regsvr32.exe
4820 D350.tmp
4820 D350.tmp
4820 D350.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\821E.exe	themida
C:\Users\Admin\AppData\Local\Temp\821E.exe	themida
behavioral1/memory/3664-48-0x0000000000310000-0x0000000000BA2000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
C:\Users\Admin\AppData\Local\Temp\mi.exe	themida
behavioral1/memory/4216-756-0x00007FF7BC670000-0x00007FF7BD3DE000-memory.dmp	themida
behavioral1/memory/4216-761-0x00007FF7BC670000-0x00007FF7BD3DE000-memory.dmp	themida
behavioral1/memory/4216-765-0x00007FF7BC670000-0x00007FF7BD3DE000-memory.dmp	themida
behavioral1/memory/4216-1973-0x00007FF7BC670000-0x00007FF7BD3DE000-memory.dmp	themida
C:\ProgramData\Google\Chrome\updater.exe	themida
C:\ProgramData\Google\Chrome\updater.exe	themida
behavioral1/memory/308-1984-0x00007FF6822D0000-0x00007FF68303E000-memory.dmp	themida
behavioral1/memory/308-1989-0x00007FF6822D0000-0x00007FF68303E000-memory.dmp	themida
behavioral1/memory/308-1991-0x00007FF6822D0000-0x00007FF68303E000-memory.dmp	themida

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3332-2386-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3332-2388-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3332-2390-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3332-2393-0x0000000140000000-0x0000000140848000-memory.dmp	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

B73B.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	B73B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\B73B.exe = "0"	B73B.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

B73B.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	B73B.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

821E.exemi.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	821E.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupdater.exepowershell.exemi.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	mi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

821E.exemi.exeupdater.exe

pid process

3664 821E.exe
4216 mi.exe
308 updater.exe

pid	process
3664	821E.exe
4216	mi.exe
308	updater.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

8701.exe6666.exeupdater.exe

description	pid	process	target process
PID 1532 set thread context of 1372	1532	8701.exe	AppLaunch.exe
PID 2408 set thread context of 164	2408	6666.exe	RegSvcs.exe
PID 308 set thread context of 4112	308	updater.exe	conhost.exe
PID 308 set thread context of 3332	308	updater.exe	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

B73B.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN B73B.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	B73B.exe

Drops file in Program Files directory 5 IoCs

Processes:

D350.tmp

description	ioc	process
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-K0IHG.tmp	D350.tmp
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-URNV6.tmp	D350.tmp
File created	C:\Program Files (x86)\Voicemeeter\stuff\is-06SAS.tmp	D350.tmp
File created	C:\Program Files (x86)\Voicemeeter\uninstall\unins000.dat	D350.tmp
File created	C:\Program Files (x86)\Voicemeeter\uninstall\is-URLB7.tmp	D350.tmp

Drops file in Windows directory 4 IoCs

Processes:

csrss.exeB73B.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	B73B.exe
File created	C:\Windows\rss\csrss.exe	B73B.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3272	sc.exe
4548	sc.exe
1400	sc.exe
2284	sc.exe
4948	sc.exe
4344	sc.exe
1720	sc.exe
4156	sc.exe
3664	sc.exe
3040	sc.exe
1348	sc.exe
3364	sc.exe
3040	sc.exe
1448	sc.exe
1404	sc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

312 2408 WerFault.exe 6666.exe

pid	pid_target	process	target process
312	2408	WerFault.exe	6666.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exeA21C.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A21C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A21C.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A21C.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5048 schtasks.exe
3552 schtasks.exe

pid	process
5048	schtasks.exe
3552	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeB73B.exepowershell.exenetsh.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	B73B.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	B73B.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe

pid	process
2200	f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
2200	f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exeA21C.exe

pid process

2200 f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
204 A21C.exe
3352
3352
3352
3352

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exepowershell.exe821E.exeB73B.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	1372	AppLaunch.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	3664	821E.exe
Token: SeDebugPrivilege	524	B73B.exe
Token: SeImpersonatePrivilege	524	B73B.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	powershell.exe
Token: SeSecurityPrivilege	4672	powershell.exe
Token: SeTakeOwnershipPrivilege	4672	powershell.exe
Token: SeLoadDriverPrivilege	4672	powershell.exe
Token: SeSystemProfilePrivilege	4672	powershell.exe
Token: SeSystemtimePrivilege	4672	powershell.exe
Token: SeProfSingleProcessPrivilege	4672	powershell.exe
Token: SeIncBasePriorityPrivilege	4672	powershell.exe
Token: SeCreatePagefilePrivilege	4672	powershell.exe
Token: SeBackupPrivilege	4672	powershell.exe
Token: SeRestorePrivilege	4672	powershell.exe
Token: SeShutdownPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeSystemEnvironmentPrivilege	4672	powershell.exe
Token: SeRemoteShutdownPrivilege	4672	powershell.exe
Token: SeUndockPrivilege	4672	powershell.exe
Token: SeManageVolumePrivilege	4672	powershell.exe
Token: 33	4672	powershell.exe
Token: 34	4672	powershell.exe
Token: 35	4672	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

D350.tmp

pid process

3352
3352
4820 D350.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3352
3352

pid	process
3352
3352
4820	D350.tmp

pid	process
3352
3352

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8701.exe6666.exeregsvr32.exeD350.exeB73B.exeAppLaunch.exeB73B.execmd.exe

description	pid	process	target process
PID 3352 wrote to memory of 2408	3352		6666.exe
PID 3352 wrote to memory of 2408	3352		6666.exe
PID 3352 wrote to memory of 2408	3352		6666.exe
PID 3352 wrote to memory of 2688	3352		6955.exe
PID 3352 wrote to memory of 2688	3352		6955.exe
PID 3352 wrote to memory of 2688	3352		6955.exe
PID 3352 wrote to memory of 3664	3352		821E.exe
PID 3352 wrote to memory of 3664	3352		821E.exe
PID 3352 wrote to memory of 3664	3352		821E.exe
PID 3352 wrote to memory of 1532	3352		8701.exe
PID 3352 wrote to memory of 1532	3352		8701.exe
PID 3352 wrote to memory of 1532	3352		8701.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 1532 wrote to memory of 1372	1532	8701.exe	AppLaunch.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 2408 wrote to memory of 164	2408	6666.exe	RegSvcs.exe
PID 3352 wrote to memory of 1720	3352		regsvr32.exe
PID 3352 wrote to memory of 1720	3352		regsvr32.exe
PID 1720 wrote to memory of 320	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 320	1720	regsvr32.exe	regsvr32.exe
PID 1720 wrote to memory of 320	1720	regsvr32.exe	regsvr32.exe
PID 3352 wrote to memory of 204	3352		A21C.exe
PID 3352 wrote to memory of 204	3352		A21C.exe
PID 3352 wrote to memory of 204	3352		A21C.exe
PID 3352 wrote to memory of 524	3352		B73B.exe
PID 3352 wrote to memory of 524	3352		B73B.exe
PID 3352 wrote to memory of 524	3352		B73B.exe
PID 3352 wrote to memory of 2532	3352		D350.exe
PID 3352 wrote to memory of 2532	3352		D350.exe
PID 3352 wrote to memory of 2532	3352		D350.exe
PID 2532 wrote to memory of 4820	2532	D350.exe	D350.tmp
PID 2532 wrote to memory of 4820	2532	D350.exe	D350.tmp
PID 2532 wrote to memory of 4820	2532	D350.exe	D350.tmp
PID 3352 wrote to memory of 3028	3352		explorer.exe
PID 3352 wrote to memory of 3028	3352		explorer.exe
PID 3352 wrote to memory of 3028	3352		explorer.exe
PID 3352 wrote to memory of 3028	3352		explorer.exe
PID 3352 wrote to memory of 820	3352		explorer.exe
PID 3352 wrote to memory of 820	3352		explorer.exe
PID 3352 wrote to memory of 820	3352		explorer.exe
PID 524 wrote to memory of 1404	524	B73B.exe	powershell.exe
PID 524 wrote to memory of 1404	524	B73B.exe	powershell.exe
PID 524 wrote to memory of 1404	524	B73B.exe	powershell.exe
PID 1372 wrote to memory of 4216	1372	AppLaunch.exe	mi.exe
PID 1372 wrote to memory of 4216	1372	AppLaunch.exe	mi.exe
PID 4104 wrote to memory of 4932	4104	B73B.exe	powershell.exe
PID 4104 wrote to memory of 4932	4104	B73B.exe	powershell.exe
PID 4104 wrote to memory of 4932	4104	B73B.exe	powershell.exe
PID 4104 wrote to memory of 2668	4104	B73B.exe	cmd.exe
PID 4104 wrote to memory of 2668	4104	B73B.exe	cmd.exe
PID 2668 wrote to memory of 3040	2668	cmd.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2915688436-2954362642-4271300650-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe
"C:\Users\Admin\AppData\Local\Temp\f95b45f166111c26d59382d1f77d8c0767972c5c7c4c530f524b9ead49209802.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2200

C:\Users\Admin\AppData\Local\Temp\6666.exe
C:\Users\Admin\AppData\Local\Temp\6666.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1248
2⤵
- Program crash
PID:312

C:\Users\Admin\AppData\Local\Temp\6955.exe
C:\Users\Admin\AppData\Local\Temp\6955.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\821E.exe
C:\Users\Admin\AppData\Local\Temp\821E.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Users\Admin\AppData\Local\Temp\8701.exe
C:\Users\Admin\AppData\Local\Temp\8701.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4216

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:1092

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:1116

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:3040

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:1400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:1348

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:4156

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:1448

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:760

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:4140

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:2200

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:2360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4948

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
4⤵
- Launches sc.exe
PID:1404

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:2284

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\9819.dll
1⤵
- Loads dropped DLL
PID:320

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\9819.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\A21C.exe
C:\Users\Admin\AppData\Local\Temp\A21C.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:204

C:\Users\Admin\AppData\Local\Temp\B73B.exe
C:\Users\Admin\AppData\Local\Temp\B73B.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Local\Temp\B73B.exe
"C:\Users\Admin\AppData\Local\Temp\B73B.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:5048

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:2240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2784

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:3344

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:4244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:3060

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:3040

C:\Users\Admin\AppData\Local\Temp\D350.exe
C:\Users\Admin\AppData\Local\Temp\D350.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\is-UIK84.tmp\D350.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UIK84.tmp\D350.tmp" /SL5="$8018E,7457838,54272,C:\Users\Admin\AppData\Local\Temp\D350.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4820

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3028

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:820

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:308

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3568

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3112

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:4548

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3364

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3664

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:408

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4112

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:3332

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:740

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:348

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:1004

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery