quasar | 66692d291cd990717ce709ee6af67f38124c57fdb6fe6e89f20cfffff3dd16d6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Wurst Client ModMenu.exe

Executes dropped EXE 28 IoCs

pid	Process
2784	Wrust Client ModMenu.exe
2424	Wurst Client ModMenu.exe
3532	Wrust Client ModMenu.exe
2116	Wurst Client ModMenu.exe
2460	Wurst Client ModMenu.exe
4988	Wurst Client ModMenu.exe
4660	Wurst Client ModMenu.exe
4288	Wurst Client ModMenu.exe
1848	Wurst Client ModMenu.exe
2312	Wurst Client ModMenu.exe
5032	Wurst Client ModMenu.exe
1256	Wurst Client ModMenu.exe
1388	Wurst Client ModMenu.exe
1532	Wrust Client ModMenu.exe
1608	Wrust Client ModMenu.exe
4068	Wrust Client ModMenu.exe
1892	Wrust Client ModMenu.exe
1844	Wurst Client ModMenu.exe
2928	Wurst Client ModMenu.exe
3700	Wurst Client ModMenu.exe
2976	Wurst Client ModMenu.exe
1048	Wurst Client ModMenu.exe
1964	Wurst Client ModMenu.exe
3392	Wurst Client ModMenu.exe
5064	Wurst Client ModMenu.exe
2120	Wurst Client ModMenu.exe
4988	Wurst Client ModMenu.exe
1992	Wurst Client ModMenu.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File created	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File created	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File created	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File created	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File created	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File created	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wrust Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir\Wurst Client ModMenu.exe	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe
File opened for modification	C:\Windows\system32\SubDir	Wurst Client ModMenu.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3904	PING.EXE
2688	PING.EXE
1068	PING.EXE
3084	PING.EXE
3232	PING.EXE
2412	PING.EXE
1564	PING.EXE
2880	PING.EXE
3192	PING.EXE
2376	PING.EXE
4888	PING.EXE
436	PING.EXE
1744	PING.EXE
888	PING.EXE
2976	PING.EXE
2872	PING.EXE
1148	PING.EXE
3144	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133774516663654567"	chrome.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
1148	PING.EXE
1744	PING.EXE
3904	PING.EXE
3192	PING.EXE
2376	PING.EXE
2872	PING.EXE
3084	PING.EXE
3144	PING.EXE
3232	PING.EXE
2412	PING.EXE
4888	PING.EXE
1564	PING.EXE
2688	PING.EXE
888	PING.EXE
1068	PING.EXE
2880	PING.EXE
436	PING.EXE
2976	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1416	schtasks.exe
3644	schtasks.exe
4232	schtasks.exe
3260	schtasks.exe
2320	schtasks.exe
3132	schtasks.exe
2424	schtasks.exe
4152	schtasks.exe
1936	schtasks.exe
1092	schtasks.exe
1488	schtasks.exe
2444	schtasks.exe
1416	schtasks.exe
536	schtasks.exe
4888	schtasks.exe
444	schtasks.exe
5036	schtasks.exe
3108	schtasks.exe
664	schtasks.exe
1028	schtasks.exe
3884	schtasks.exe
2324	schtasks.exe
2064	schtasks.exe
3304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1036	taskmgr.exe
1772	7zFM.exe
1772	7zFM.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1036	taskmgr.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1772	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeRestorePrivilege	1772	7zFM.exe
Token: 35	1772	7zFM.exe
Token: SeSecurityPrivilege	1772	7zFM.exe
Token: SeDebugPrivilege	2784	Wrust Client ModMenu.exe
Token: SeDebugPrivilege	2424	Wurst Client ModMenu.exe
Token: SeSecurityPrivilege	1772	7zFM.exe
Token: SeDebugPrivilege	3532	Wrust Client ModMenu.exe
Token: SeDebugPrivilege	2116	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	2460	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	4988	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	1036	taskmgr.exe
Token: SeSystemProfilePrivilege	1036	taskmgr.exe
Token: SeCreateGlobalPrivilege	1036	taskmgr.exe
Token: SeDebugPrivilege	4660	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	4288	Wurst Client ModMenu.exe
Token: 33	1036	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1036	taskmgr.exe
Token: SeDebugPrivilege	1848	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	2312	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	5032	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	1256	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	1388	Wurst Client ModMenu.exe
Token: SeSecurityPrivilege	1772	7zFM.exe
Token: SeDebugPrivilege	1532	Wrust Client ModMenu.exe
Token: SeSecurityPrivilege	1772	7zFM.exe
Token: SeDebugPrivilege	1608	Wrust Client ModMenu.exe
Token: SeSecurityPrivilege	1772	7zFM.exe
Token: SeSecurityPrivilege	1772	7zFM.exe
Token: SeDebugPrivilege	4068	Wrust Client ModMenu.exe
Token: SeDebugPrivilege	1892	Wrust Client ModMenu.exe
Token: SeDebugPrivilege	1844	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	3700	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	2928	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	2976	Wurst Client ModMenu.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeDebugPrivilege	1048	Wurst Client ModMenu.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeDebugPrivilege	1964	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	3392	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	5064	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	2120	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	4988	Wurst Client ModMenu.exe
Token: SeDebugPrivilege	1992	Wurst Client ModMenu.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
1772	7zFM.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
1036	taskmgr.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2784	1772	7zFM.exe	87
PID 1772 wrote to memory of 2784	1772	7zFM.exe	87
PID 2784 wrote to memory of 664	2784	Wrust Client ModMenu.exe	89
PID 2784 wrote to memory of 664	2784	Wrust Client ModMenu.exe	89
PID 2784 wrote to memory of 2424	2784	Wrust Client ModMenu.exe	91
PID 2784 wrote to memory of 2424	2784	Wrust Client ModMenu.exe	91
PID 2424 wrote to memory of 2444	2424	Wurst Client ModMenu.exe	92
PID 2424 wrote to memory of 2444	2424	Wurst Client ModMenu.exe	92
PID 2424 wrote to memory of 1908	2424	Wurst Client ModMenu.exe	94
PID 2424 wrote to memory of 1908	2424	Wurst Client ModMenu.exe	94
PID 1908 wrote to memory of 2856	1908	cmd.exe	96
PID 1908 wrote to memory of 2856	1908	cmd.exe	96
PID 1908 wrote to memory of 2880	1908	cmd.exe	97
PID 1908 wrote to memory of 2880	1908	cmd.exe	97
PID 1772 wrote to memory of 3532	1772	7zFM.exe	98
PID 1772 wrote to memory of 3532	1772	7zFM.exe	98
PID 3532 wrote to memory of 1028	3532	Wrust Client ModMenu.exe	99
PID 3532 wrote to memory of 1028	3532	Wrust Client ModMenu.exe	99
PID 3532 wrote to memory of 2116	3532	Wrust Client ModMenu.exe	101
PID 3532 wrote to memory of 2116	3532	Wrust Client ModMenu.exe	101
PID 1908 wrote to memory of 2460	1908	cmd.exe	102
PID 1908 wrote to memory of 2460	1908	cmd.exe	102
PID 2116 wrote to memory of 1416	2116	Wurst Client ModMenu.exe	103
PID 2116 wrote to memory of 1416	2116	Wurst Client ModMenu.exe	103
PID 2116 wrote to memory of 1796	2116	Wurst Client ModMenu.exe	105
PID 2116 wrote to memory of 1796	2116	Wurst Client ModMenu.exe	105
PID 1796 wrote to memory of 1032	1796	cmd.exe	107
PID 1796 wrote to memory of 1032	1796	cmd.exe	107
PID 1796 wrote to memory of 1148	1796	cmd.exe	108
PID 1796 wrote to memory of 1148	1796	cmd.exe	108
PID 1796 wrote to memory of 4988	1796	cmd.exe	114
PID 1796 wrote to memory of 4988	1796	cmd.exe	114
PID 4988 wrote to memory of 3884	4988	Wurst Client ModMenu.exe	115
PID 4988 wrote to memory of 3884	4988	Wurst Client ModMenu.exe	115
PID 4988 wrote to memory of 2672	4988	Wurst Client ModMenu.exe	117
PID 4988 wrote to memory of 2672	4988	Wurst Client ModMenu.exe	117
PID 2672 wrote to memory of 700	2672	cmd.exe	119
PID 2672 wrote to memory of 700	2672	cmd.exe	119
PID 2672 wrote to memory of 3904	2672	cmd.exe	120
PID 2672 wrote to memory of 3904	2672	cmd.exe	120
PID 2672 wrote to memory of 4660	2672	cmd.exe	124
PID 2672 wrote to memory of 4660	2672	cmd.exe	124
PID 4660 wrote to memory of 1416	4660	Wurst Client ModMenu.exe	125
PID 4660 wrote to memory of 1416	4660	Wurst Client ModMenu.exe	125
PID 4660 wrote to memory of 4472	4660	Wurst Client ModMenu.exe	127
PID 4660 wrote to memory of 4472	4660	Wurst Client ModMenu.exe	127
PID 4472 wrote to memory of 2064	4472	cmd.exe	129
PID 4472 wrote to memory of 2064	4472	cmd.exe	129
PID 4472 wrote to memory of 3084	4472	cmd.exe	130
PID 4472 wrote to memory of 3084	4472	cmd.exe	130
PID 4472 wrote to memory of 4288	4472	cmd.exe	131
PID 4472 wrote to memory of 4288	4472	cmd.exe	131
PID 4288 wrote to memory of 536	4288	Wurst Client ModMenu.exe	132
PID 4288 wrote to memory of 536	4288	Wurst Client ModMenu.exe	132
PID 4288 wrote to memory of 708	4288	Wurst Client ModMenu.exe	134
PID 4288 wrote to memory of 708	4288	Wurst Client ModMenu.exe	134
PID 708 wrote to memory of 1540	708	cmd.exe	136
PID 708 wrote to memory of 1540	708	cmd.exe	136
PID 708 wrote to memory of 3192	708	cmd.exe	137
PID 708 wrote to memory of 3192	708	cmd.exe	137
PID 708 wrote to memory of 1848	708	cmd.exe	138
PID 708 wrote to memory of 1848	708	cmd.exe	138
PID 1848 wrote to memory of 4888	1848	Wurst Client ModMenu.exe	139
PID 1848 wrote to memory of 4888	1848	Wurst Client ModMenu.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Wurst_Client_password_123.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\7zOCE65F3A7\Wrust Client ModMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE65F3A7\Wrust Client ModMenu.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:664
- - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uf4z45EgobYQ.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2856
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
    - - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
- C:\Users\Admin\AppData\Local\Temp\7zOCE6B26F7\Wrust Client ModMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE6B26F7\Wrust Client ModMenu.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1028
- - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v2CVkftxASs3.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1032
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1148
    - - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wrn1Lp706wba.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3904
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGcSO6WEgsdD.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3084
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8OXf7A7Iwb2Y.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3192
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYMiCZvoE3rV.bat" "
        12⤵
        
        PID:4524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3144
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbU3M75zvTzN.bat" "
        14⤵
        
        PID:5028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3232
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XgETYhK3SOzo.bat" "
        16⤵
        
        PID:3796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i1Q86ukfmsiI.bat" "
        18⤵
        
        PID:3136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2376
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\npuZZ8rbF3GJ.bat" "
        20⤵
        
        PID:5040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4888
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cL19UkDAX2eR.bat" "
        22⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yJejX8pUWTVH.bat" "
        24⤵
        
        PID:1064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1744
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JWMrm4kEk22s.bat" "
        26⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCI7CFJ265nn.bat" "
        28⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
- C:\Users\Admin\AppData\Local\Temp\7zOCE641729\Wrust Client ModMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE641729\Wrust Client ModMenu.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2324
- - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Users\Admin\AppData\Local\Temp\7zOCE6A9529\Wrust Client ModMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE6A9529\Wrust Client ModMenu.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4152
- - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- C:\Users\Admin\AppData\Local\Temp\7zOCE6FB329\Wrust Client ModMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE6FB329\Wrust Client ModMenu.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:444
- - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3700
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcw2kbNUbE8p.bat" "
      4⤵
      PID:992
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2828
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1564
    - - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmHAEkHr5qRm.bat" "
        6⤵
        
        PID:3864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XRWuN5s6Gv4F.bat" "
        8⤵
        
        PID:812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:888
        
        C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
        
        "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\39x6jUNAjEzR.bat" "
        10⤵
        
        PID:1772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1068
- C:\Users\Admin\AppData\Local\Temp\7zOCE695329\Wrust Client ModMenu.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCE695329\Wrust Client ModMenu.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5036
- - C:\Windows\system32\SubDir\Wurst Client ModMenu.exe
    "C:\Windows\system32\SubDir\Wurst Client ModMenu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2976

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa35d2cc40,0x7ffa35d2cc4c,0x7ffa35d2cc58
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:540
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff71e4b4698,0x7ff71e4b46a4,0x7ff71e4b46b0
    3⤵
    - Drops file in Windows directory
    PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4808,i,10585555559166775437,2121864581131212118,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:1540

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery