amadey | 0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66

Virtualization/Sandbox Evasion

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

164 5552 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

6056 netsh.exe

flow	pid	process
164	5552	rundll32.exe

pid	process
6056	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

explorgu.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explorgu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 7 IoCs

Processes:

explorgu.exegoldprimeldlldf.exealex1234.exeTraffic.exepropro.exe987123.exechckik.exe

pid process

3140 explorgu.exe
4624 goldprimeldlldf.exe
3676 alex1234.exe
5308 Traffic.exe
5292 propro.exe
5840 987123.exe
5240 chckik.exe

pid	process
3140	explorgu.exe
4624	goldprimeldlldf.exe
3676	alex1234.exe
5308	Traffic.exe
5292	propro.exe
5840	987123.exe
5240	chckik.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
Key opened	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Software\Wine	explorgu.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5528 rundll32.exe
5552 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exeexplorgu.exe

pid process

824 0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
3140 explorgu.exe

pid	process
5528	rundll32.exe
5552	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

goldprimeldlldf.exealex1234.exe

description	pid	process	target process
PID 4624 set thread context of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 3676 set thread context of 3176	3676	alex1234.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

6056 5840 WerFault.exe 987123.exe
5020 5992 WerFault.exe toolspub1.exe

pid	pid_target	process	target process
6056	5840	WerFault.exe	987123.exe
5020	5992	WerFault.exe	toolspub1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

987123.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4496 schtasks.exe
5832 schtasks.exe
6008 schtasks.exe

pid	process
4496	schtasks.exe
5832	schtasks.exe
6008	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exeexplorgu.exerundll32.exe

pid	process
824	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
824	0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
3140	explorgu.exe
3140	explorgu.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe
5552	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Traffic.exe

description	pid	process
Token: SeDebugPrivilege	5308	Traffic.exe
Token: SeBackupPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe
Token: SeSecurityPrivilege	5308	Traffic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exechckik.exe

pid process

824 0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
5240 chckik.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

explorgu.exegoldprimeldlldf.exealex1234.exeRegAsm.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3140 wrote to memory of 4624	3140	explorgu.exe	goldprimeldlldf.exe
PID 3140 wrote to memory of 4624	3140	explorgu.exe	goldprimeldlldf.exe
PID 3140 wrote to memory of 4624	3140	explorgu.exe	goldprimeldlldf.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 4624 wrote to memory of 4520	4624	goldprimeldlldf.exe	RegAsm.exe
PID 3140 wrote to memory of 3676	3140	explorgu.exe	alex1234.exe
PID 3140 wrote to memory of 3676	3140	explorgu.exe	alex1234.exe
PID 3140 wrote to memory of 3676	3140	explorgu.exe	alex1234.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3676 wrote to memory of 3176	3676	alex1234.exe	RegAsm.exe
PID 3176 wrote to memory of 5308	3176	RegAsm.exe	Traffic.exe
PID 3176 wrote to memory of 5308	3176	RegAsm.exe	Traffic.exe
PID 3176 wrote to memory of 5292	3176	RegAsm.exe	propro.exe
PID 3176 wrote to memory of 5292	3176	RegAsm.exe	propro.exe
PID 3176 wrote to memory of 5292	3176	RegAsm.exe	propro.exe
PID 3140 wrote to memory of 5528	3140	explorgu.exe	rundll32.exe
PID 3140 wrote to memory of 5528	3140	explorgu.exe	rundll32.exe
PID 3140 wrote to memory of 5528	3140	explorgu.exe	rundll32.exe
PID 5528 wrote to memory of 5552	5528	rundll32.exe	rundll32.exe
PID 5528 wrote to memory of 5552	5528	rundll32.exe	rundll32.exe
PID 5552 wrote to memory of 5636	5552	rundll32.exe	netsh.exe
PID 5552 wrote to memory of 5636	5552	rundll32.exe	netsh.exe
PID 3140 wrote to memory of 5840	3140	explorgu.exe	987123.exe
PID 3140 wrote to memory of 5840	3140	explorgu.exe	987123.exe
PID 3140 wrote to memory of 5840	3140	explorgu.exe	987123.exe
PID 3140 wrote to memory of 5240	3140	explorgu.exe	chckik.exe
PID 3140 wrote to memory of 5240	3140	explorgu.exe	chckik.exe
PID 3140 wrote to memory of 5240	3140	explorgu.exe	chckik.exe
PID 5552 wrote to memory of 1532	5552	rundll32.exe	powershell.exe
PID 5552 wrote to memory of 1532	5552	rundll32.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe
"C:\Users\Admin\AppData\Local\Temp\0b151681aa8889612bc85e481f91469e8894f5a73ba325951bc2289a5d746d66.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2712 --field-trial-handle=2264,i,1475924722205134884,16549311107360026087,262144 --variations-seed-version /prefetch:8
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5292

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5308

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5528

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5552

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
"C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 352
3⤵
- Program crash
PID:6056

C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
"C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:5240

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
PID:5544

C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe"
2⤵
PID:5012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:4496

C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\toolspub1.exe"
3⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 396
4⤵
- Program crash
PID:5020

C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"
3⤵
PID:5504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000182001\4767d2e713f2021e8fe856e3ea638b58.exe"
4⤵
PID:3992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2060

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:6056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5188

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:5036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5488

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:5832

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:3236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:6056

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:6008

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
2⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\1001038001\file.exe
"C:\Users\Admin\AppData\Local\Temp\1001038001\file.exe"
2⤵
PID:5552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
4⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
4⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
2⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5840 -ip 5840
1⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5992 -ip 5992
1⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:408

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
PID:5288

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
PID:2740

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\172592802658_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:4080

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"
2⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001036001\NewB.exe
1⤵
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery