glupteba | 0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe
4852	powershell.exe
2028	powershell.exe
4752	powershell.exe
1600	powershell.exe
1668	powershell.exe
2588	powershell.exe
1912	powershell.exe
3440	powershell.exe
3732	powershell.exe
1644	powershell.exe
3368	powershell.exe
5032	powershell.exe
2032	powershell.exe
4692	powershell.exe
2412	powershell.exe
2420	powershell.exe
3680	powershell.exe
1088	powershell.exe
4348	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
928	netsh.exe
3560	netsh.exe
668	netsh.exe
3324	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	regasm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	88qVA71GFy1Nq4onm1oSpddh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	u2z0.1.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3nIXyefvAynIECsArtWYsqAH.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dk5k6N55yZG9NmBc2NJZ47fH.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gYGCry2efJc88HLTlemr0VKL.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y0lRizMW1SK3tDRzxCRtuOLC.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2Brp3JiHK3QLJkkYlAkOnwx.bat	regasm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rPLnwVvRy6GVl4JzJqZo0y27.bat	regasm.exe

Executes dropped EXE 15 IoCs

pid	Process
3852	88qVA71GFy1Nq4onm1oSpddh.exe
3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe
4368	HkNR03C8eGLoJYmYsDiS3idD.exe
1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
4156	Mkb433YgG0jW3gAvc3R5VDpF.exe
3116	u2z0.0.exe
3696	u2z0.1.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
4724	csrss.exe
808	injector.exe
4404	windefender.exe
3300	windefender.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002343f-701.dat	upx
behavioral1/memory/3300-713-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	gkCrJzLv4Tcf2A3uZl1bCPwG.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	mROzCSDwjdNgpJpwGjxU8PZ6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Mkb433YgG0jW3gAvc3R5VDpF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	HkNR03C8eGLoJYmYsDiS3idD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
12	pastebin.com

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	mROzCSDwjdNgpJpwGjxU8PZ6.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Mkb433YgG0jW3gAvc3R5VDpF.exe
File opened (read-only)	\??\VBoxMiniRdrDN	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
File opened (read-only)	\??\VBoxMiniRdrDN	HkNR03C8eGLoJYmYsDiS3idD.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\rss\csrss.exe	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
File opened for modification	C:\Windows\rss	mROzCSDwjdNgpJpwGjxU8PZ6.exe
File opened for modification	C:\Windows\rss	Mkb433YgG0jW3gAvc3R5VDpF.exe
File created	C:\Windows\rss\csrss.exe	Mkb433YgG0jW3gAvc3R5VDpF.exe
File created	C:\Windows\rss\csrss.exe	HkNR03C8eGLoJYmYsDiS3idD.exe
File opened for modification	C:\Windows\rss	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
File created	C:\Windows\rss\csrss.exe	mROzCSDwjdNgpJpwGjxU8PZ6.exe
File opened for modification	C:\Windows\rss	HkNR03C8eGLoJYmYsDiS3idD.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3908	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2944	3852	WerFault.exe	91
4440	3116	WerFault.exe	97

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2z0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2z0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2z0.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2z0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2z0.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3640	schtasks.exe
1568	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	Mkb433YgG0jW3gAvc3R5VDpF.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	powershell.exe
2548	powershell.exe
1644	powershell.exe
1644	powershell.exe
2420	powershell.exe
2420	powershell.exe
3680	powershell.exe
3680	powershell.exe
4852	powershell.exe
4852	powershell.exe
2420	powershell.exe
3680	powershell.exe
4852	powershell.exe
1644	powershell.exe
4156	Mkb433YgG0jW3gAvc3R5VDpF.exe
4156	Mkb433YgG0jW3gAvc3R5VDpF.exe
4368	HkNR03C8eGLoJYmYsDiS3idD.exe
4368	HkNR03C8eGLoJYmYsDiS3idD.exe
1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe
3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe
1088	powershell.exe
1088	powershell.exe
1600	powershell.exe
1600	powershell.exe
1668	powershell.exe
1668	powershell.exe
2588	powershell.exe
2588	powershell.exe
1088	powershell.exe
1600	powershell.exe
1668	powershell.exe
2588	powershell.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
64	Mkb433YgG0jW3gAvc3R5VDpF.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe
1372	HkNR03C8eGLoJYmYsDiS3idD.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1964	regasm.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	4156	Mkb433YgG0jW3gAvc3R5VDpF.exe
Token: SeDebugPrivilege	4368	HkNR03C8eGLoJYmYsDiS3idD.exe
Token: SeDebugPrivilege	1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Token: SeImpersonatePrivilege	4156	Mkb433YgG0jW3gAvc3R5VDpF.exe
Token: SeDebugPrivilege	3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe
Token: SeImpersonatePrivilege	4368	HkNR03C8eGLoJYmYsDiS3idD.exe
Token: SeImpersonatePrivilege	1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe
Token: SeImpersonatePrivilege	3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3672	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeSystemEnvironmentPrivilege	4724	csrss.exe
Token: SeSecurityPrivilege	3908	sc.exe
Token: SeSecurityPrivilege	3908	sc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe
3696	u2z0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2548	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	84
PID 2112 wrote to memory of 2548	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	84
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 1964	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	86
PID 2112 wrote to memory of 3980	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	87
PID 2112 wrote to memory of 3980	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	87
PID 2112 wrote to memory of 3980	2112	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	87
PID 1964 wrote to memory of 3852	1964	regasm.exe	91
PID 1964 wrote to memory of 3852	1964	regasm.exe	91
PID 1964 wrote to memory of 3852	1964	regasm.exe	91
PID 1964 wrote to memory of 3764	1964	regasm.exe	92
PID 1964 wrote to memory of 3764	1964	regasm.exe	92
PID 1964 wrote to memory of 3764	1964	regasm.exe	92
PID 1964 wrote to memory of 4368	1964	regasm.exe	93
PID 1964 wrote to memory of 4368	1964	regasm.exe	93
PID 1964 wrote to memory of 4368	1964	regasm.exe	93
PID 1964 wrote to memory of 1732	1964	regasm.exe	94
PID 1964 wrote to memory of 1732	1964	regasm.exe	94
PID 1964 wrote to memory of 1732	1964	regasm.exe	94
PID 1964 wrote to memory of 4156	1964	regasm.exe	95
PID 1964 wrote to memory of 4156	1964	regasm.exe	95
PID 1964 wrote to memory of 4156	1964	regasm.exe	95
PID 3852 wrote to memory of 3116	3852	88qVA71GFy1Nq4onm1oSpddh.exe	97
PID 3852 wrote to memory of 3116	3852	88qVA71GFy1Nq4onm1oSpddh.exe	97
PID 3852 wrote to memory of 3116	3852	88qVA71GFy1Nq4onm1oSpddh.exe	97
PID 4156 wrote to memory of 2420	4156	Mkb433YgG0jW3gAvc3R5VDpF.exe	100
PID 4156 wrote to memory of 2420	4156	Mkb433YgG0jW3gAvc3R5VDpF.exe	100
PID 4156 wrote to memory of 2420	4156	Mkb433YgG0jW3gAvc3R5VDpF.exe	100
PID 3764 wrote to memory of 1644	3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe	99
PID 3764 wrote to memory of 1644	3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe	99
PID 3764 wrote to memory of 1644	3764	mROzCSDwjdNgpJpwGjxU8PZ6.exe	99
PID 4368 wrote to memory of 4852	4368	HkNR03C8eGLoJYmYsDiS3idD.exe	102
PID 4368 wrote to memory of 4852	4368	HkNR03C8eGLoJYmYsDiS3idD.exe	102
PID 4368 wrote to memory of 4852	4368	HkNR03C8eGLoJYmYsDiS3idD.exe	102
PID 1732 wrote to memory of 3680	1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	101
PID 1732 wrote to memory of 3680	1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	101
PID 1732 wrote to memory of 3680	1732	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	101
PID 3852 wrote to memory of 3696	3852	88qVA71GFy1Nq4onm1oSpddh.exe	107
PID 3852 wrote to memory of 3696	3852	88qVA71GFy1Nq4onm1oSpddh.exe	107
PID 3852 wrote to memory of 3696	3852	88qVA71GFy1Nq4onm1oSpddh.exe	107
PID 64 wrote to memory of 1088	64	Mkb433YgG0jW3gAvc3R5VDpF.exe	117
PID 64 wrote to memory of 1088	64	Mkb433YgG0jW3gAvc3R5VDpF.exe	117
PID 64 wrote to memory of 1088	64	Mkb433YgG0jW3gAvc3R5VDpF.exe	117
PID 1372 wrote to memory of 1600	1372	HkNR03C8eGLoJYmYsDiS3idD.exe	119
PID 1372 wrote to memory of 1600	1372	HkNR03C8eGLoJYmYsDiS3idD.exe	119
PID 1372 wrote to memory of 1600	1372	HkNR03C8eGLoJYmYsDiS3idD.exe	119
PID 1956 wrote to memory of 1668	1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	120
PID 1956 wrote to memory of 1668	1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	120
PID 1956 wrote to memory of 1668	1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	120
PID 2752 wrote to memory of 2588	2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe	123
PID 2752 wrote to memory of 2588	2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe	123
PID 2752 wrote to memory of 2588	2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe	123
PID 2752 wrote to memory of 528	2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe	126
PID 2752 wrote to memory of 528	2752	mROzCSDwjdNgpJpwGjxU8PZ6.exe	126
PID 64 wrote to memory of 1744	64	Mkb433YgG0jW3gAvc3R5VDpF.exe	128
PID 64 wrote to memory of 1744	64	Mkb433YgG0jW3gAvc3R5VDpF.exe	128
PID 1956 wrote to memory of 2944	1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	129
PID 1956 wrote to memory of 2944	1956	gkCrJzLv4Tcf2A3uZl1bCPwG.exe	129

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
"C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\Pictures\88qVA71GFy1Nq4onm1oSpddh.exe
    "C:\Users\Admin\Pictures\88qVA71GFy1Nq4onm1oSpddh.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\u2z0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u2z0.0.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1272
        5⤵
        Program crash
        
        PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\u2z0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u2z0.1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1516
      4⤵
      Program crash
      PID:2944
- - C:\Users\Admin\Pictures\mROzCSDwjdNgpJpwGjxU8PZ6.exe
    "C:\Users\Admin\Pictures\mROzCSDwjdNgpJpwGjxU8PZ6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Users\Admin\Pictures\mROzCSDwjdNgpJpwGjxU8PZ6.exe
      "C:\Users\Admin\Pictures\mROzCSDwjdNgpJpwGjxU8PZ6.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:528
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
- - C:\Users\Admin\Pictures\HkNR03C8eGLoJYmYsDiS3idD.exe
    "C:\Users\Admin\Pictures\HkNR03C8eGLoJYmYsDiS3idD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Users\Admin\Pictures\HkNR03C8eGLoJYmYsDiS3idD.exe
      "C:\Users\Admin\Pictures\HkNR03C8eGLoJYmYsDiS3idD.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3328
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:668
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
- - C:\Users\Admin\Pictures\gkCrJzLv4Tcf2A3uZl1bCPwG.exe
    "C:\Users\Admin\Pictures\gkCrJzLv4Tcf2A3uZl1bCPwG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
  - - C:\Users\Admin\Pictures\gkCrJzLv4Tcf2A3uZl1bCPwG.exe
      "C:\Users\Admin\Pictures\gkCrJzLv4Tcf2A3uZl1bCPwG.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2944
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3640
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5008
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:808
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1568
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
- - C:\Users\Admin\Pictures\Mkb433YgG0jW3gAvc3R5VDpF.exe
    "C:\Users\Admin\Pictures\Mkb433YgG0jW3gAvc3R5VDpF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Users\Admin\Pictures\Mkb433YgG0jW3gAvc3R5VDpF.exe
      "C:\Users\Admin\Pictures\Mkb433YgG0jW3gAvc3R5VDpF.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1744
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3324
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3852 -ip 3852
1⤵
PID:1760

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3116 -ip 3116
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery