amadey | 85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80

Virtualization/Sandbox Evasion

Processes:

85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

291 5888 rundll32.exe
Downloads MZ/PE file

flow	pid	process
291	5888	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorgu.exe85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

explorgu.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 10 IoCs

Processes:

explorgu.exegoldprimeldlldf.exeTeamFour.exealex1234.exeTraffic.exepropro.exe987123.exelummalg.exechckik.exemk.exe

pid	process
4536	explorgu.exe
2348	goldprimeldlldf.exe
3152	TeamFour.exe
1144	alex1234.exe
2304	Traffic.exe
2968	propro.exe
1508	987123.exe
3456	lummalg.exe
3116	chckik.exe
1300	mk.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
Key opened	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine	explorgu.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5888 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exeexplorgu.exe

pid process

5624 85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
4536 explorgu.exe

pid	process
5888	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

goldprimeldlldf.exealex1234.exelummalg.exe

description	pid	process	target process
PID 2348 set thread context of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 1144 set thread context of 1964	1144	alex1234.exe	RegAsm.exe
PID 3456 set thread context of 5000	3456	lummalg.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1292 5000 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
1292	5000	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

987123.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exeexplorgu.exeRegAsm.exeTeamFour.exe987123.exepropro.exeTraffic.exe

pid	process
5624	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
5624	85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
4536	explorgu.exe
4536	explorgu.exe
2424	RegAsm.exe
2424	RegAsm.exe
2424	RegAsm.exe
2424	RegAsm.exe
2424	RegAsm.exe
2424	RegAsm.exe
3152	TeamFour.exe
3152	TeamFour.exe
1508	987123.exe
1508	987123.exe
2968	propro.exe
2968	propro.exe
2304	Traffic.exe
2304	Traffic.exe
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480
3480

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

987123.exe

pid process

1508 987123.exe

pid	process
1508	987123.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

TeamFour.exeRegAsm.exeTraffic.exepropro.exemk.exe

description	pid	process
Token: SeDebugPrivilege	3152	TeamFour.exe
Token: SeDebugPrivilege	2424	RegAsm.exe
Token: SeBackupPrivilege	3152	TeamFour.exe
Token: SeSecurityPrivilege	3152	TeamFour.exe
Token: SeSecurityPrivilege	3152	TeamFour.exe
Token: SeSecurityPrivilege	3152	TeamFour.exe
Token: SeSecurityPrivilege	3152	TeamFour.exe
Token: SeDebugPrivilege	2304	Traffic.exe
Token: SeBackupPrivilege	2304	Traffic.exe
Token: SeSecurityPrivilege	2304	Traffic.exe
Token: SeSecurityPrivilege	2304	Traffic.exe
Token: SeSecurityPrivilege	2304	Traffic.exe
Token: SeSecurityPrivilege	2304	Traffic.exe
Token: SeDebugPrivilege	2968	propro.exe
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeShutdownPrivilege	3480
Token: SeCreatePagefilePrivilege	3480
Token: SeDebugPrivilege	1300	mk.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

explorgu.exegoldprimeldlldf.exealex1234.exeRegAsm.exelummalg.exe

description	pid	process	target process
PID 4536 wrote to memory of 2348	4536	explorgu.exe	goldprimeldlldf.exe
PID 4536 wrote to memory of 2348	4536	explorgu.exe	goldprimeldlldf.exe
PID 4536 wrote to memory of 2348	4536	explorgu.exe	goldprimeldlldf.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 2348 wrote to memory of 2424	2348	goldprimeldlldf.exe	RegAsm.exe
PID 4536 wrote to memory of 3152	4536	explorgu.exe	TeamFour.exe
PID 4536 wrote to memory of 3152	4536	explorgu.exe	TeamFour.exe
PID 4536 wrote to memory of 1144	4536	explorgu.exe	alex1234.exe
PID 4536 wrote to memory of 1144	4536	explorgu.exe	alex1234.exe
PID 4536 wrote to memory of 1144	4536	explorgu.exe	alex1234.exe
PID 1144 wrote to memory of 1972	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1972	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1972	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1144 wrote to memory of 1964	1144	alex1234.exe	RegAsm.exe
PID 1964 wrote to memory of 2968	1964	RegAsm.exe	propro.exe
PID 1964 wrote to memory of 2968	1964	RegAsm.exe	propro.exe
PID 1964 wrote to memory of 2968	1964	RegAsm.exe	propro.exe
PID 1964 wrote to memory of 2304	1964	RegAsm.exe	Traffic.exe
PID 1964 wrote to memory of 2304	1964	RegAsm.exe	Traffic.exe
PID 4536 wrote to memory of 5608	4536	explorgu.exe	rundll32.exe
PID 4536 wrote to memory of 5608	4536	explorgu.exe	rundll32.exe
PID 4536 wrote to memory of 5608	4536	explorgu.exe	rundll32.exe
PID 4536 wrote to memory of 1508	4536	explorgu.exe	987123.exe
PID 4536 wrote to memory of 1508	4536	explorgu.exe	987123.exe
PID 4536 wrote to memory of 1508	4536	explorgu.exe	987123.exe
PID 4536 wrote to memory of 3456	4536	explorgu.exe	lummalg.exe
PID 4536 wrote to memory of 3456	4536	explorgu.exe	lummalg.exe
PID 4536 wrote to memory of 3456	4536	explorgu.exe	lummalg.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 3456 wrote to memory of 5000	3456	lummalg.exe	RegAsm.exe
PID 4536 wrote to memory of 5888	4536	explorgu.exe	rundll32.exe
PID 4536 wrote to memory of 5888	4536	explorgu.exe	rundll32.exe
PID 4536 wrote to memory of 5888	4536	explorgu.exe	rundll32.exe
PID 4536 wrote to memory of 3116	4536	explorgu.exe	chckik.exe
PID 4536 wrote to memory of 3116	4536	explorgu.exe	chckik.exe
PID 4536 wrote to memory of 3116	4536	explorgu.exe	chckik.exe
PID 4536 wrote to memory of 1300	4536	explorgu.exe	mk.exe
PID 4536 wrote to memory of 1300	4536	explorgu.exe	mk.exe
PID 4536 wrote to memory of 1300	4536	explorgu.exe	mk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe
"C:\Users\Admin\AppData\Local\Temp\85ed554f3e7593f1fbbdf5edcfbda8b71b4f950ff1679aab9620219567145c80.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5624

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
"C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
PID:5608

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
"C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1508

C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
"C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 832
4⤵
- Program crash
PID:1292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5888

C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
"C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3116

C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe
"C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5000 -ip 5000
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion