amadey | a3791f9a33de62edfcfbb4bad919ed4dfdf81b914ce7af5120233bd20228765b

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3852-247-0x00000000023D0000-0x000000000244E000-memory.dmp	net_reactor
behavioral2/memory/3852-249-0x0000000005210000-0x000000000528E000-memory.dmp	net_reactor
behavioral2/memory/320-496-0x0000000004B90000-0x0000000004C28000-memory.dmp	net_reactor
behavioral2/memory/320-499-0x0000000005240000-0x00000000052D8000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RuntimeBroker.exeladas.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ladas.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ladas.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

b38fe213704c50c252032bdee6ee365d.exeexplorhe.exechrosha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	b38fe213704c50c252032bdee6ee365d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	chrosha.exe

Executes dropped EXE 18 IoCs

Processes:

explorhe.exeplana.exe1234pixxxx.exeAmadey.exe2024.exeladas.exemilan1234.exesadsadsadsa.exe1233213123213.execrptchk.exechrosha.exe55555.exeexplorhe.exeredline1234.exeuwgxswmtctao.exeRuntimeBroker.exegoldklassd.exemrk1234.exe

pid	process
528	explorhe.exe
2972	plana.exe
4740	1234pixxxx.exe
4868	Amadey.exe
780	2024.exe
932	ladas.exe
4744	milan1234.exe
2896	sadsadsadsa.exe
1104	1233213123213.exe
3852	crptchk.exe
644	chrosha.exe
4456	55555.exe
320	explorhe.exe
736	redline1234.exe
1844	uwgxswmtctao.exe
920	RuntimeBroker.exe
4100	goldklassd.exe
320	mrk1234.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ladas.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Wine ladas.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

2236 rundll32.exe
4296 rundll32.exe
3652 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Wine	ladas.exe

pid	process
2236	rundll32.exe
4296	rundll32.exe
3652	rundll32.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2480-397-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-403-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-404-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-401-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-406-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-408-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-425-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-426-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-427-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-428-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-429-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-394-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-457-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2480-458-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

explorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plana.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plana.exe"	explorhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ladas.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000872001\\ladas.exe"	explorhe.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 api.ipify.org
36 api.ipify.org

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
35	api.ipify.org
36	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

explorhe.exeplana.exeladas.exe

pid	process
528	explorhe.exe
2972	plana.exe
932	ladas.exe
528	explorhe.exe
2972	plana.exe
528	explorhe.exe
2972	plana.exe
528	explorhe.exe
2972	plana.exe
2972	plana.exe
528	explorhe.exe
2972	plana.exe
528	explorhe.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

crptchk.exeuwgxswmtctao.exegoldklassd.exe

description	pid	process	target process
PID 3852 set thread context of 872	3852	crptchk.exe	RegAsm.exe
PID 1844 set thread context of 2480	1844	uwgxswmtctao.exe	explorer.exe
PID 4100 set thread context of 1944	4100	goldklassd.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

Amadey.exe

description ioc process

File created C:\Windows\Tasks\chrosha.job Amadey.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

872 sc.exe
4868 sc.exe
4312 sc.exe
3856 sc.exe
3744 sc.exe
3576 sc.exe
3712 sc.exe
2248 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\chrosha.job	Amadey.exe

pid	process
872	sc.exe
4868	sc.exe
4312	sc.exe
3856	sc.exe
3744	sc.exe
3576	sc.exe
3712	sc.exe
2248	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1948	872	WerFault.exe	RegAsm.exe
4224	4456	WerFault.exe	55555.exe
4476	4456	WerFault.exe	55555.exe
752	2928	WerFault.exe	RegAsm.exe
5116	2928	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4152 schtasks.exe

pid	process
4152	schtasks.exe

Modifies registry class 11 IoCs

Processes:

explorer.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-635608581-3370340891-292606865-1000\{F8CE252B-6288-4A52-890D-A88A1D9E6FCF}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

ladas.exemilan1234.exe1233213123213.exeredline1234.exeuwgxswmtctao.exerundll32.exeRuntimeBroker.exe

pid	process
932	ladas.exe
932	ladas.exe
4744	milan1234.exe
1104	1233213123213.exe
3352
3352
736	redline1234.exe
736	redline1234.exe
736	redline1234.exe
736	redline1234.exe
1844	uwgxswmtctao.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
3652	rundll32.exe
920	RuntimeBroker.exe
920	RuntimeBroker.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

milan1234.exe1233213123213.exe

pid process

4744 milan1234.exe
1104 1233213123213.exe

pid	process
660

pid	process
4744	milan1234.exe
1104	1233213123213.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe
Token: SeLockMemoryPrivilege	2480	explorer.exe
Token: SeShutdownPrivilege	4804	explorer.exe
Token: SeCreatePagefilePrivilege	4804	explorer.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

b38fe213704c50c252032bdee6ee365d.exeexplorer.exe

pid	process
1288	b38fe213704c50c252032bdee6ee365d.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	process
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe
4804	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

b38fe213704c50c252032bdee6ee365d.exeexplorhe.exeplana.exeexplorhe.exeStartMenuExperienceHost.exe

pid process

1288 b38fe213704c50c252032bdee6ee365d.exe
528 explorhe.exe
2972 plana.exe
320 explorhe.exe
220 StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b38fe213704c50c252032bdee6ee365d.exeexplorhe.execrptchk.exechrosha.exerundll32.exeuwgxswmtctao.exerundll32.exe

description	pid	process	target process
PID 1288 wrote to memory of 528	1288	b38fe213704c50c252032bdee6ee365d.exe	explorhe.exe
PID 1288 wrote to memory of 528	1288	b38fe213704c50c252032bdee6ee365d.exe	explorhe.exe
PID 1288 wrote to memory of 528	1288	b38fe213704c50c252032bdee6ee365d.exe	explorhe.exe
PID 528 wrote to memory of 4152	528	explorhe.exe	schtasks.exe
PID 528 wrote to memory of 4152	528	explorhe.exe	schtasks.exe
PID 528 wrote to memory of 4152	528	explorhe.exe	schtasks.exe
PID 528 wrote to memory of 2972	528	explorhe.exe	plana.exe
PID 528 wrote to memory of 2972	528	explorhe.exe	plana.exe
PID 528 wrote to memory of 2972	528	explorhe.exe	plana.exe
PID 528 wrote to memory of 4740	528	explorhe.exe	1234pixxxx.exe
PID 528 wrote to memory of 4740	528	explorhe.exe	1234pixxxx.exe
PID 528 wrote to memory of 4740	528	explorhe.exe	1234pixxxx.exe
PID 528 wrote to memory of 4868	528	explorhe.exe	Amadey.exe
PID 528 wrote to memory of 4868	528	explorhe.exe	Amadey.exe
PID 528 wrote to memory of 4868	528	explorhe.exe	Amadey.exe
PID 528 wrote to memory of 780	528	explorhe.exe	2024.exe
PID 528 wrote to memory of 780	528	explorhe.exe	2024.exe
PID 528 wrote to memory of 780	528	explorhe.exe	2024.exe
PID 528 wrote to memory of 932	528	explorhe.exe	ladas.exe
PID 528 wrote to memory of 932	528	explorhe.exe	ladas.exe
PID 528 wrote to memory of 932	528	explorhe.exe	ladas.exe
PID 528 wrote to memory of 4744	528	explorhe.exe	milan1234.exe
PID 528 wrote to memory of 4744	528	explorhe.exe	milan1234.exe
PID 528 wrote to memory of 2896	528	explorhe.exe	sadsadsadsa.exe
PID 528 wrote to memory of 2896	528	explorhe.exe	sadsadsadsa.exe
PID 528 wrote to memory of 2896	528	explorhe.exe	sadsadsadsa.exe
PID 528 wrote to memory of 1104	528	explorhe.exe	1233213123213.exe
PID 528 wrote to memory of 1104	528	explorhe.exe	1233213123213.exe
PID 528 wrote to memory of 3852	528	explorhe.exe	crptchk.exe
PID 528 wrote to memory of 3852	528	explorhe.exe	crptchk.exe
PID 528 wrote to memory of 3852	528	explorhe.exe	crptchk.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 3852 wrote to memory of 872	3852	crptchk.exe	RegAsm.exe
PID 528 wrote to memory of 2236	528	explorhe.exe	rundll32.exe
PID 528 wrote to memory of 2236	528	explorhe.exe	rundll32.exe
PID 528 wrote to memory of 2236	528	explorhe.exe	rundll32.exe
PID 528 wrote to memory of 4456	528	explorhe.exe	55555.exe
PID 528 wrote to memory of 4456	528	explorhe.exe	55555.exe
PID 528 wrote to memory of 4456	528	explorhe.exe	55555.exe
PID 528 wrote to memory of 736	528	explorhe.exe	redline1234.exe
PID 528 wrote to memory of 736	528	explorhe.exe	redline1234.exe
PID 644 wrote to memory of 4296	644	chrosha.exe	rundll32.exe
PID 644 wrote to memory of 4296	644	chrosha.exe	rundll32.exe
PID 644 wrote to memory of 4296	644	chrosha.exe	rundll32.exe
PID 4296 wrote to memory of 3652	4296	rundll32.exe	rundll32.exe
PID 4296 wrote to memory of 3652	4296	rundll32.exe	rundll32.exe
PID 1844 wrote to memory of 2480	1844	uwgxswmtctao.exe	explorer.exe
PID 1844 wrote to memory of 2480	1844	uwgxswmtctao.exe	explorer.exe
PID 528 wrote to memory of 920	528	explorhe.exe	RuntimeBroker.exe
PID 528 wrote to memory of 920	528	explorhe.exe	RuntimeBroker.exe
PID 528 wrote to memory of 4100	528	explorhe.exe	goldklassd.exe
PID 528 wrote to memory of 4100	528	explorhe.exe	goldklassd.exe
PID 528 wrote to memory of 4100	528	explorhe.exe	goldklassd.exe
PID 1844 wrote to memory of 2480	1844	uwgxswmtctao.exe	explorer.exe
PID 3652 wrote to memory of 4208	3652	rundll32.exe	netsh.exe
PID 3652 wrote to memory of 4208	3652	rundll32.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

outlook_win_path 1 IoCs

Processes:

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

C:\Users\Admin\AppData\Local\Temp\b38fe213704c50c252032bdee6ee365d.exe
"C:\Users\Admin\AppData\Local\Temp\b38fe213704c50c252032bdee6ee365d.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:4152

C:\Users\Admin\AppData\Local\Temp\1000674001\plana.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plana.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
3⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe
"C:\Users\Admin\AppData\Local\Temp\1000853001\Amadey.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4868

C:\Users\Admin\AppData\Local\Temp\1000860001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000860001\2024.exe"
3⤵
- Executes dropped EXE
PID:780

C:\Users\Admin\AppData\Local\Temp\1000872001\ladas.exe
"C:\Users\Admin\AppData\Local\Temp\1000872001\ladas.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:932

C:\Users\Admin\AppData\Local\Temp\1000874001\milan1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000874001\milan1234.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4744

C:\Users\Admin\AppData\Local\Temp\1000876001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000876001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Local\Temp\1000878001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000878001\1233213123213.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1104

C:\Users\Admin\AppData\Local\Temp\1000883001\crptchk.exe
"C:\Users\Admin\AppData\Local\Temp\1000883001\crptchk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 600
5⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2236

C:\Users\Admin\AppData\Local\Temp\1000884001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000884001\55555.exe"
3⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1112
4⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1136
4⤵
- Program crash
PID:4476

C:\Users\Admin\AppData\Local\Temp\1000888001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000888001\redline1234.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
4⤵
- Launches sc.exe
PID:4312

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
4⤵
- Launches sc.exe
PID:3856

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:3744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
4⤵
- Launches sc.exe
PID:3576

C:\Users\Admin\AppData\Local\Temp\1000889001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000889001\moto.exe"
3⤵
PID:920

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:3712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000889001\moto.exe"
4⤵
PID:3700

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1600

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:872

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4868

C:\Users\Admin\AppData\Local\Temp\1000890001\goldklassd.exe
"C:\Users\Admin\AppData\Local\Temp\1000890001\goldklassd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\1000891001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000891001\mrk1234.exe"
3⤵
- Executes dropped EXE
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1224
5⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1216
5⤵
- Program crash
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\1000896001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000896001\crypted.exe"
3⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\1000892001\dayroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000892001\dayroc.exe"
3⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
4⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
4⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:4208

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\nss4907.tmp
C:\Users\Admin\AppData\Local\Temp\nss4907.tmp
5⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\1000895001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000895001\alex.exe"
3⤵
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4512

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
PID:4284

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\1000893001\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000893001\RDX.exe"
3⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\1000894001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000894001\leg221.exe"
3⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 872 -ip 872
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\356085813370_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:4364

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:220

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4456 -ip 4456
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4456 -ip 4456
1⤵
PID:2240

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:1780

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2940

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:2424

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:920

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:1480

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2928 -ip 2928
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2928 -ip 2928
1⤵
PID:4204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery