betabot | 287b45f0e674bc427c8c0ef423af43a8c5d99973c5740e907995a0b771626be2

Windows Service

T1543.003

Processes:

explorer.exe1m1a3yqm7m5_1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	1m1a3yqm7m5_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	1m1a3yqm7m5_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	1m1a3yqm7m5_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	1m1a3yqm7m5_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath	regedit.exe

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1828-159-0x0000000000350000-0x00000000003ED000-memory.dmp	family_vidar
behavioral3/memory/1828-161-0x0000000000400000-0x0000000002D17000-memory.dmp	family_vidar
behavioral3/memory/1828-320-0x0000000000400000-0x0000000002D17000-memory.dmp	family_vidar

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Looks for VMWare services registry key. 1 TTPs 2 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

Processes:

Thu161c4715668.exesetup_installer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Thu161c4715668.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	setup_installer.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

1m1a3yqm7m5_1.exeregedit.exeexplorer.exe60E5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "fjn.exe"	1m1a3yqm7m5_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "dprejivvisv.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	1m1a3yqm7m5_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	1m1a3yqm7m5_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "kbm.exe"	1m1a3yqm7m5_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1m1a3yqm7m5.exe\DisableExceptionChainValidation	60E5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe	1m1a3yqm7m5_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "lwecgk.exe"	1m1a3yqm7m5_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "qvmefitpqzr.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1m1a3yqm7m5.exe	60E5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "hex.exe"	1m1a3yqm7m5_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "rsf.exe"	1m1a3yqm7m5_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "fysciuwpajr.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "fjwfxj.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe	1m1a3yqm7m5_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	1m1a3yqm7m5_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	regedit.exe

Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath	regedit.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS87B06926\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS87B06926\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS87B06926\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS87B06926\libcurl.dll	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Executes dropped EXE 14 IoCs

Processes:

setup_install.exeThu161c4715668.exeThu169d91817c3a28839.exeThu16e63a1de9.exeThu16a1a5e679d4.exeThu1628173c43b7.exeThu16f40a4d7ec.exeThu16859d0e3fa17.exeThu16e68ef66d3d.exeThu161c4715668.exeThu16859d0e3fa17.exe60E5.exe678A.exe1m1a3yqm7m5_1.exe

pid	process
2612	setup_install.exe
2968	Thu161c4715668.exe
1644	Thu169d91817c3a28839.exe
1948	Thu16e63a1de9.exe
1744	Thu16a1a5e679d4.exe
2784	Thu1628173c43b7.exe
1828	Thu16f40a4d7ec.exe
2740	Thu16859d0e3fa17.exe
2360	Thu16e68ef66d3d.exe
1628	Thu161c4715668.exe
2116	Thu16859d0e3fa17.exe
2352	60E5.exe
668	678A.exe
2632	1m1a3yqm7m5_1.exe

Loads dropped DLL 51 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.exeThu161c4715668.execmd.exeThu169d91817c3a28839.execmd.execmd.exeThu16f40a4d7ec.execmd.exeThu16e68ef66d3d.exeThu161c4715668.exeWerFault.exeWerFault.exeExplorer.EXEexplorer.exeWerFault.exe

pid	process
2936	setup_installer.exe
2936	setup_installer.exe
2936	setup_installer.exe
2612	setup_install.exe
2612	setup_install.exe
2612	setup_install.exe
2612	setup_install.exe
2612	setup_install.exe
2612	setup_install.exe
2612	setup_install.exe
2612	setup_install.exe
2520	cmd.exe
2520	cmd.exe
2540	cmd.exe
2460	cmd.exe
2460	cmd.exe
2968	Thu161c4715668.exe
2968	Thu161c4715668.exe
2964	cmd.exe
1644	Thu169d91817c3a28839.exe
1644	Thu169d91817c3a28839.exe
2028	cmd.exe
2516	cmd.exe
2516	cmd.exe
1828	Thu16f40a4d7ec.exe
1828	Thu16f40a4d7ec.exe
2832	cmd.exe
2968	Thu161c4715668.exe
2360	Thu16e68ef66d3d.exe
2360	Thu16e68ef66d3d.exe
1628	Thu161c4715668.exe
1628	Thu161c4715668.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
1132	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
1380	Explorer.EXE
1380	Explorer.EXE
2732	explorer.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exeThu161c4715668.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\1m1a3yqm7m5.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\1m1a3yqm7m5.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\1m1a3yqm7m5.exe\""	Thu161c4715668.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

Processes:

1m1a3yqm7m5_1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	1m1a3yqm7m5_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	1m1a3yqm7m5_1.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

60E5.exeThu161c4715668.exesetup_installer.exe1m1a3yqm7m5_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60E5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu161c4715668.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_installer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1m1a3yqm7m5_1.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe

description	ioc	process
File opened for modification	C:\ProgramData\Java Updater\desktop.ini	explorer.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Thu161c4715668.exesetup_installer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Thu161c4715668.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Thu161c4715668.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	setup_installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	setup_installer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

Processes:

60E5.exeexplorer.exeThu161c4715668.exesetup_installer.exe1m1a3yqm7m5_1.exe

pid	process
2352	60E5.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
1628	Thu161c4715668.exe
1628	Thu161c4715668.exe
1628	Thu161c4715668.exe
1628	Thu161c4715668.exe
2936	setup_installer.exe
2936	setup_installer.exe
2936	setup_installer.exe
2936	setup_installer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2632	1m1a3yqm7m5_1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1132	2612	WerFault.exe	setup_install.exe
2596	1828	WerFault.exe	Thu16f40a4d7ec.exe
3040	1132	WerFault.exe	WerFault.exe
2348	2360	WerFault.exe	Thu16e68ef66d3d.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Thu169d91817c3a28839.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu169d91817c3a28839.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu169d91817c3a28839.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu169d91817c3a28839.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorer.exe1m1a3yqm7m5_1.exe60E5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1m1a3yqm7m5_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1m1a3yqm7m5_1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	60E5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	60E5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

308 schtasks.exe

pid	process
308	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

Thu16e63a1de9.exeThu16a1a5e679d4.exeThu16f40a4d7ec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Thu16e63a1de9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Thu16a1a5e679d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu16a1a5e679d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu16f40a4d7ec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu16f40a4d7ec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Thu16e63a1de9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu16a1a5e679d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu16a1a5e679d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu16f40a4d7ec.exe

NTFS ADS 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\1m1a3yqm7m5_1.exe:1BB7FB68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\1m1a3yqm7m5_1.exe:1BB7FB68	explorer.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2708 regedit.exe

pid	process
2708	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Thu169d91817c3a28839.exepowershell.exeExplorer.EXE

pid	process
1644	Thu169d91817c3a28839.exe
1644	Thu169d91817c3a28839.exe
2980	powershell.exe
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

Thu169d91817c3a28839.exe60E5.exeexplorer.exe1m1a3yqm7m5_1.exe

pid	process
1644	Thu169d91817c3a28839.exe
2352	60E5.exe
2352	60E5.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2732	explorer.exe
2632	1m1a3yqm7m5_1.exe
2632	1m1a3yqm7m5_1.exe
2732	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeThu16e63a1de9.exeThu1628173c43b7.exeThu16a1a5e679d4.exe60E5.exeexplorer.exeExplorer.EXE1m1a3yqm7m5_1.exeregedit.exe

description	pid	process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1948	Thu16e63a1de9.exe
Token: SeDebugPrivilege	2784	Thu1628173c43b7.exe
Token: SeDebugPrivilege	1744	Thu16a1a5e679d4.exe
Token: SeDebugPrivilege	2352	60E5.exe
Token: SeRestorePrivilege	2352	60E5.exe
Token: SeBackupPrivilege	2352	60E5.exe
Token: SeLoadDriverPrivilege	2352	60E5.exe
Token: SeCreatePagefilePrivilege	2352	60E5.exe
Token: SeShutdownPrivilege	2352	60E5.exe
Token: SeTakeOwnershipPrivilege	2352	60E5.exe
Token: SeChangeNotifyPrivilege	2352	60E5.exe
Token: SeCreateTokenPrivilege	2352	60E5.exe
Token: SeMachineAccountPrivilege	2352	60E5.exe
Token: SeSecurityPrivilege	2352	60E5.exe
Token: SeAssignPrimaryTokenPrivilege	2352	60E5.exe
Token: SeCreateGlobalPrivilege	2352	60E5.exe
Token: 33	2352	60E5.exe
Token: SeDebugPrivilege	2732	explorer.exe
Token: SeRestorePrivilege	2732	explorer.exe
Token: SeBackupPrivilege	2732	explorer.exe
Token: SeLoadDriverPrivilege	2732	explorer.exe
Token: SeCreatePagefilePrivilege	2732	explorer.exe
Token: SeShutdownPrivilege	2732	explorer.exe
Token: SeTakeOwnershipPrivilege	2732	explorer.exe
Token: SeChangeNotifyPrivilege	2732	explorer.exe
Token: SeCreateTokenPrivilege	2732	explorer.exe
Token: SeMachineAccountPrivilege	2732	explorer.exe
Token: SeSecurityPrivilege	2732	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2732	explorer.exe
Token: SeCreateGlobalPrivilege	2732	explorer.exe
Token: 33	2732	explorer.exe
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeShutdownPrivilege	1380	Explorer.EXE
Token: SeDebugPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeRestorePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeBackupPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeLoadDriverPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreatePagefilePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeShutdownPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeTakeOwnershipPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeChangeNotifyPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreateTokenPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeMachineAccountPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeSecurityPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeAssignPrimaryTokenPrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreateGlobalPrivilege	2632	1m1a3yqm7m5_1.exe
Token: 33	2632	1m1a3yqm7m5_1.exe
Token: SeCreatePagefilePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreatePagefilePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreatePagefilePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreatePagefilePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeCreatePagefilePrivilege	2632	1m1a3yqm7m5_1.exe
Token: SeDebugPrivilege	2708	regedit.exe
Token: SeRestorePrivilege	2708	regedit.exe
Token: SeBackupPrivilege	2708	regedit.exe
Token: SeLoadDriverPrivilege	2708	regedit.exe
Token: SeCreatePagefilePrivilege	2708	regedit.exe
Token: SeShutdownPrivilege	2708	regedit.exe
Token: SeTakeOwnershipPrivilege	2708	regedit.exe
Token: SeChangeNotifyPrivilege	2708	regedit.exe
Token: SeCreateTokenPrivilege	2708	regedit.exe
Token: SeMachineAccountPrivilege	2708	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.exe

description	pid	process	target process
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2936 wrote to memory of 2612	2936	setup_installer.exe	setup_install.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 824	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2520	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2460	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2484	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2516	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2540	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2832	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2964	2612	setup_install.exe	cmd.exe
PID 2612 wrote to memory of 2028	2612	setup_install.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS87B06926\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu1628173c43b7.exe
4⤵
- Loads dropped DLL
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu16a1a5e679d4.exe
4⤵
- Loads dropped DLL
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu16e68ef66d3d.exe
4⤵
- Loads dropped DLL
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu16e63a1de9.exe
4⤵
- Loads dropped DLL
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu16f40a4d7ec.exe
4⤵
- Loads dropped DLL
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu16859d0e3fa17.exe
4⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu169d91817c3a28839.exe
4⤵
- Loads dropped DLL
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu161c4715668.exe
4⤵
- Loads dropped DLL
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 424
4⤵
- Loads dropped DLL
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 620
5⤵
- Program crash
PID:3040

C:\Users\Admin\AppData\Local\Temp\60E5.exe
C:\Users\Admin\AppData\Local\Temp\60E5.exe
2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\1m1a3yqm7m5_1.exe
/suac
4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\1M1A3Y~1.EXE" /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:308

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\SysWOW64\regedit.exe"
5⤵
- Modifies security service
- Sets file execution options in registry
- Sets service image path in registry
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\AppData\Local\Temp\678A.exe
C:\Users\Admin\AppData\Local\Temp\678A.exe
2⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "116792870418633707631147590596-2102327335-1549804667131433294012539603291725085726"
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16f40a4d7ec.exe
Thu16f40a4d7ec.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 956
2⤵
- Loads dropped DLL
- Program crash
PID:2596

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16e68ef66d3d.exe
Thu16e68ef66d3d.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 488
2⤵
- Loads dropped DLL
- Program crash
PID:2348

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu161c4715668.exe
"C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu161c4715668.exe" -a
1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1861428166-49822379-120143959196071556119394758311149881121349474210-677893686"
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16859d0e3fa17.exe
Thu16859d0e3fa17.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu1628173c43b7.exe
Thu1628173c43b7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16a1a5e679d4.exe
Thu16a1a5e679d4.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16859d0e3fa17.exe
"C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16859d0e3fa17.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu169d91817c3a28839.exe
Thu169d91817c3a28839.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1644

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu16e63a1de9.exe
Thu16e63a1de9.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Users\Admin\AppData\Local\Temp\7zS87B06926\Thu161c4715668.exe
Thu161c4715668.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery