amadey | 26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f

Windows Service

T1543.003

Processes:

nSZX9fVEo9TfRkLprb5h5d0I.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	nSZX9fVEo9TfRkLprb5h5d0I.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
behavioral2/memory/1736-104-0x0000000000EF0000-0x0000000000F42000-memory.dmp	family_redline
behavioral2/memory/4612-111-0x0000000000C20000-0x0000000000CAC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe	family_redline
behavioral2/memory/3104-184-0x0000000000660000-0x00000000006B0000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe	family_redline
behavioral2/memory/5056-384-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 5776 created 3064 5776 RegAsm.exe sihost.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 5776 created 3064	5776	RegAsm.exe	sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

1325eeeae7.exeamert.exenSZX9fVEo9TfRkLprb5h5d0I.exe26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorgu.exerandom.exeamadka.exeexplorha.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1325eeeae7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	nSZX9fVEo9TfRkLprb5h5d0I.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

52 2864 rundll32.exe
81 2340 rundll32.exe
96 6812 rundll32.exe
52 2864 rundll32.exe
96 6812 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

4476 netsh.exe
6308 netsh.exe
6372 netsh.exe

flow	pid	process
52	2864	rundll32.exe
81	2340	rundll32.exe
96	6812	rundll32.exe
52	2864	rundll32.exe
96	6812	rundll32.exe

pid	process
4476	netsh.exe
6308	netsh.exe
6372	netsh.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

1325eeeae7.exeamert.exenSZX9fVEo9TfRkLprb5h5d0I.exeexplorha.exerandom.exeamadka.exeexplorha.exeexplorgu.exe26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1325eeeae7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	nSZX9fVEo9TfRkLprb5h5d0I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1325eeeae7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nSZX9fVEo9TfRkLprb5h5d0I.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Executes dropped EXE 44 IoCs

Processes:

explorgu.exerandom.exealex1234.exeTraffic.exepropro.exeamadka.exeredlinepanel.exeexplorha.exe32456.exe1325eeeae7.exeNewB.exegoldprimeldlldf.exego.exefile300un.exeamert.exeU2USE9Ra2PH86K3J1s8VHSUG.exeEKb0NYH4yPgtjnTIj2qfRL8O.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exetW8QawWbYo8OHMYJg4S2hPiU.exeF1CMsOeEo5X1pqEkB18N9JzS.exeu40s.0.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeu40s.1.exenSZX9fVEo9TfRkLprb5h5d0I.exeEKb0NYH4yPgtjnTIj2qfRL8O.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeexplorha.exeFIIJJKKFHI.execsrss.exeNewB.exeinjector.exewindefender.exewindefender.exeexplorha.exeNewB.exe

pid	process
424	explorgu.exe
692	random.exe
1444	alex1234.exe
4612	Traffic.exe
1736	propro.exe
3264	amadka.exe
3104	redlinepanel.exe
4980	explorha.exe
2820	32456.exe
1112	1325eeeae7.exe
3988	NewB.exe
4328	goldprimeldlldf.exe
3444	go.exe
1012	file300un.exe
5684	amert.exe
5212	U2USE9Ra2PH86K3J1s8VHSUG.exe
1616	EKb0NYH4yPgtjnTIj2qfRL8O.exe
5236	EhYXhYGLnLV8VSdbD8cTBq9A.exe
5132	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
5988	tW8QawWbYo8OHMYJg4S2hPiU.exe
5748	F1CMsOeEo5X1pqEkB18N9JzS.exe
4132	u40s.0.exe
4280	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
5764	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
1532	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
772	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
6340	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
6520	u40s.1.exe
6272	nSZX9fVEo9TfRkLprb5h5d0I.exe
6172	EKb0NYH4yPgtjnTIj2qfRL8O.exe
5804	EhYXhYGLnLV8VSdbD8cTBq9A.exe
6852	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
6220	Assistant_108.0.5067.20_Setup.exe_sfx.exe
5648	assistant_installer.exe
5576	assistant_installer.exe
3744	explorha.exe
5504	FIIJJKKFHI.exe
6712	csrss.exe
6396	NewB.exe
2868	injector.exe
3652	windefender.exe
880	windefender.exe
5944	explorha.exe
6908	NewB.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeamadka.exe1325eeeae7.exeamert.exeexplorha.exeexplorgu.exerandom.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	amadka.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	1325eeeae7.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe

Loads dropped DLL 17 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exerundll32.exeassistant_installer.exeassistant_installer.exeu40s.0.exe

pid	process
5024	rundll32.exe
880	rundll32.exe
2864	rundll32.exe
768	rundll32.exe
2340	rundll32.exe
4280	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
5764	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
1532	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
772	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
6340	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
6812	rundll32.exe
5648	assistant_installer.exe
5648	assistant_installer.exe
5576	assistant_installer.exe
5576	assistant_installer.exe
4132	u40s.0.exe
4132	u40s.0.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exe	themida
behavioral2/memory/6272-1042-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida
behavioral2/memory/6272-1050-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida
behavioral2/memory/6272-1047-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida
behavioral2/memory/6272-1052-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida
behavioral2/memory/6272-1053-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida
behavioral2/memory/6272-1057-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida
behavioral2/memory/6272-1058-0x00007FF7F4220000-0x00007FF7F4D2A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorgu.exeexplorha.exeEKb0NYH4yPgtjnTIj2qfRL8O.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\1325eeeae7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\1325eeeae7.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

nSZX9fVEo9TfRkLprb5h5d0I.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nSZX9fVEo9TfRkLprb5h5d0I.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

HYFxJJHfY3Nz6YNWQZKBkpGn.exeHYFxJJHfY3Nz6YNWQZKBkpGn.exe

description	ioc	process
File opened (read-only)	\??\D:	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
File opened (read-only)	\??\F:	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
File opened (read-only)	\??\D:	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
File opened (read-only)	\??\F:	HYFxJJHfY3Nz6YNWQZKBkpGn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

40 pastebin.com
50 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

97 api.myip.com
99 ipinfo.io
4 api.myip.com
65 ipinfo.io
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
40	pastebin.com
50	pastebin.com

flow	ioc
97	api.myip.com
99	ipinfo.io
4	api.myip.com
65	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Drops file in System32 directory 17 IoCs

Processes:

nSZX9fVEo9TfRkLprb5h5d0I.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	nSZX9fVEo9TfRkLprb5h5d0I.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	nSZX9fVEo9TfRkLprb5h5d0I.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	nSZX9fVEo9TfRkLprb5h5d0I.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	nSZX9fVEo9TfRkLprb5h5d0I.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorgu.exeamadka.exeexplorha.exeamert.exenSZX9fVEo9TfRkLprb5h5d0I.exeexplorha.exeexplorha.exe

pid	process
4368	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
424	explorgu.exe
3264	amadka.exe
4980	explorha.exe
5684	amert.exe
6272	nSZX9fVEo9TfRkLprb5h5d0I.exe
3744	explorha.exe
5944	explorha.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

alex1234.exegoldprimeldlldf.exefile300un.exetW8QawWbYo8OHMYJg4S2hPiU.exe

description	pid	process	target process
PID 1444 set thread context of 4216	1444	alex1234.exe	RegAsm.exe
PID 4328 set thread context of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 1012 set thread context of 1144	1012	file300un.exe	CasPol.exe
PID 5988 set thread context of 5776	5988	tW8QawWbYo8OHMYJg4S2hPiU.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

ooNsLBPf6tZ2Yd1wW52HaYaB.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeEKb0NYH4yPgtjnTIj2qfRL8O.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
File opened (read-only)	\??\VBoxMiniRdrDN	EhYXhYGLnLV8VSdbD8cTBq9A.exe
File opened (read-only)	\??\VBoxMiniRdrDN	EKb0NYH4yPgtjnTIj2qfRL8O.exe

Drops file in Windows directory 10 IoCs

Processes:

EhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exe26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeamadka.exeEKb0NYH4yPgtjnTIj2qfRL8O.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	EhYXhYGLnLV8VSdbD8cTBq9A.exe
File opened for modification	C:\Windows\rss	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
File created	C:\Windows\rss\csrss.exe	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
File created	C:\Windows\Tasks\explorgu.job	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
File created	C:\Windows\Tasks\explorha.job	amadka.exe
File opened for modification	C:\Windows\rss	EKb0NYH4yPgtjnTIj2qfRL8O.exe
File created	C:\Windows\rss\csrss.exe	EKb0NYH4yPgtjnTIj2qfRL8O.exe
File created	C:\Windows\rss\csrss.exe	EhYXhYGLnLV8VSdbD8cTBq9A.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5840 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5840	sc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6116	5988	WerFault.exe	tW8QawWbYo8OHMYJg4S2hPiU.exe
6420	5776	WerFault.exe	RegAsm.exe
6644	5776	WerFault.exe	RegAsm.exe
7080	5748	WerFault.exe	F1CMsOeEo5X1pqEkB18N9JzS.exe
6512	4132	WerFault.exe	u40s.0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u40s.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u40s.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u40s.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u40s.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u40s.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u40s.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u40s.0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

6608 schtasks.exe
4424 schtasks.exe
1552 schtasks.exe

pid	process
6608	schtasks.exe
4424	schtasks.exe
1552	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeEKb0NYH4yPgtjnTIj2qfRL8O.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

HYFxJJHfY3Nz6YNWQZKBkpGn.exepropro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	HYFxJJHfY3Nz6YNWQZKBkpGn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5756 PING.EXE

pid	process
5756	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exeexplorgu.exeamadka.exerundll32.exeexplorha.exeTraffic.exepowershell.exepropro.exeredlinepanel.exemsedge.exemsedge.exeamert.exe32456.exeRegAsm.exerundll32.exemsedge.exe

pid	process
4368	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
4368	26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
424	explorgu.exe
424	explorgu.exe
3264	amadka.exe
3264	amadka.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
4980	explorha.exe
4980	explorha.exe
4612	Traffic.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
880	rundll32.exe
1656	powershell.exe
1656	powershell.exe
1656	powershell.exe
1736	propro.exe
1736	propro.exe
3104	redlinepanel.exe
3104	redlinepanel.exe
3104	redlinepanel.exe
3104	redlinepanel.exe
880	msedge.exe
880	msedge.exe
1848	msedge.exe
1848	msedge.exe
5684	amert.exe
5684	amert.exe
2820	32456.exe
2820	32456.exe
3104	redlinepanel.exe
3104	redlinepanel.exe
5056	RegAsm.exe
5056	RegAsm.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
2340	rundll32.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1736	propro.exe
1404	msedge.exe
1404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

Traffic.exe32456.exepowershell.exepropro.exeCasPol.exeredlinepanel.exeRegAsm.exepowershell.exeRegAsm.exepowershell.exepowershell.exepowershell.exeEhYXhYGLnLV8VSdbD8cTBq9A.exeooNsLBPf6tZ2Yd1wW52HaYaB.exeEKb0NYH4yPgtjnTIj2qfRL8O.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	4612	Traffic.exe
Token: SeBackupPrivilege	4612	Traffic.exe
Token: SeSecurityPrivilege	4612	Traffic.exe
Token: SeSecurityPrivilege	4612	Traffic.exe
Token: SeSecurityPrivilege	4612	Traffic.exe
Token: SeSecurityPrivilege	4612	Traffic.exe
Token: SeDebugPrivilege	2820	32456.exe
Token: SeBackupPrivilege	2820	32456.exe
Token: SeSecurityPrivilege	2820	32456.exe
Token: SeSecurityPrivilege	2820	32456.exe
Token: SeSecurityPrivilege	2820	32456.exe
Token: SeSecurityPrivilege	2820	32456.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1736	propro.exe
Token: SeDebugPrivilege	1144	CasPol.exe
Token: SeDebugPrivilege	3104	redlinepanel.exe
Token: SeDebugPrivilege	5056	RegAsm.exe
Token: SeDebugPrivilege	5728	powershell.exe
Token: SeDebugPrivilege	4216	RegAsm.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	5824	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	5236	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Token: SeDebugPrivilege	5132	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
Token: SeImpersonatePrivilege	5236	EhYXhYGLnLV8VSdbD8cTBq9A.exe
Token: SeImpersonatePrivilege	5132	ooNsLBPf6tZ2Yd1wW52HaYaB.exe
Token: SeDebugPrivilege	1616	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Token: SeImpersonatePrivilege	1616	EKb0NYH4yPgtjnTIj2qfRL8O.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5996	powershell.exe
Token: SeDebugPrivilege	6968	powershell.exe
Token: SeDebugPrivilege	3704	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	6392	powershell.exe
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	6196	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeSystemEnvironmentPrivilege	6712	csrss.exe
Token: SeSecurityPrivilege	5840	sc.exe
Token: SeSecurityPrivilege	5840	sc.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

go.exemsedge.exeu40s.1.exe

pid	process
3444	go.exe
3444	go.exe
3444	go.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
3444	go.exe
3444	go.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

go.exemsedge.exeu40s.1.exe

pid	process
3444	go.exe
3444	go.exe
3444	go.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
3444	go.exe
3444	go.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe
6520	u40s.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exealex1234.exeRegAsm.exerundll32.exeamadka.exerundll32.exeexplorha.exeNewB.exegoldprimeldlldf.exe

description	pid	process	target process
PID 424 wrote to memory of 692	424	explorgu.exe	random.exe
PID 424 wrote to memory of 692	424	explorgu.exe	random.exe
PID 424 wrote to memory of 692	424	explorgu.exe	random.exe
PID 424 wrote to memory of 1444	424	explorgu.exe	alex1234.exe
PID 424 wrote to memory of 1444	424	explorgu.exe	alex1234.exe
PID 424 wrote to memory of 1444	424	explorgu.exe	alex1234.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 1444 wrote to memory of 4216	1444	alex1234.exe	RegAsm.exe
PID 4216 wrote to memory of 4612	4216	RegAsm.exe	Traffic.exe
PID 4216 wrote to memory of 4612	4216	RegAsm.exe	Traffic.exe
PID 4216 wrote to memory of 1736	4216	RegAsm.exe	propro.exe
PID 4216 wrote to memory of 1736	4216	RegAsm.exe	propro.exe
PID 4216 wrote to memory of 1736	4216	RegAsm.exe	propro.exe
PID 424 wrote to memory of 3264	424	explorgu.exe	amadka.exe
PID 424 wrote to memory of 3264	424	explorgu.exe	amadka.exe
PID 424 wrote to memory of 3264	424	explorgu.exe	amadka.exe
PID 424 wrote to memory of 3104	424	explorgu.exe	redlinepanel.exe
PID 424 wrote to memory of 3104	424	explorgu.exe	redlinepanel.exe
PID 424 wrote to memory of 3104	424	explorgu.exe	redlinepanel.exe
PID 424 wrote to memory of 5024	424	explorgu.exe	rundll32.exe
PID 424 wrote to memory of 5024	424	explorgu.exe	rundll32.exe
PID 424 wrote to memory of 5024	424	explorgu.exe	rundll32.exe
PID 5024 wrote to memory of 880	5024	rundll32.exe	msedge.exe
PID 5024 wrote to memory of 880	5024	rundll32.exe	msedge.exe
PID 3264 wrote to memory of 4980	3264	amadka.exe	explorha.exe
PID 3264 wrote to memory of 4980	3264	amadka.exe	explorha.exe
PID 3264 wrote to memory of 4980	3264	amadka.exe	explorha.exe
PID 880 wrote to memory of 4892	880	rundll32.exe	netsh.exe
PID 880 wrote to memory of 4892	880	rundll32.exe	netsh.exe
PID 424 wrote to memory of 2820	424	explorgu.exe	32456.exe
PID 424 wrote to memory of 2820	424	explorgu.exe	32456.exe
PID 880 wrote to memory of 1656	880	rundll32.exe	powershell.exe
PID 880 wrote to memory of 1656	880	rundll32.exe	powershell.exe
PID 4980 wrote to memory of 1112	4980	explorha.exe	1325eeeae7.exe
PID 4980 wrote to memory of 1112	4980	explorha.exe	1325eeeae7.exe
PID 4980 wrote to memory of 1112	4980	explorha.exe	1325eeeae7.exe
PID 424 wrote to memory of 3988	424	explorgu.exe	NewB.exe
PID 424 wrote to memory of 3988	424	explorgu.exe	NewB.exe
PID 424 wrote to memory of 3988	424	explorgu.exe	NewB.exe
PID 4980 wrote to memory of 1604	4980	explorha.exe	explorha.exe
PID 4980 wrote to memory of 1604	4980	explorha.exe	explorha.exe
PID 4980 wrote to memory of 1604	4980	explorha.exe	explorha.exe
PID 3988 wrote to memory of 1552	3988	NewB.exe	schtasks.exe
PID 3988 wrote to memory of 1552	3988	NewB.exe	schtasks.exe
PID 3988 wrote to memory of 1552	3988	NewB.exe	schtasks.exe
PID 424 wrote to memory of 4328	424	explorgu.exe	goldprimeldlldf.exe
PID 424 wrote to memory of 4328	424	explorgu.exe	goldprimeldlldf.exe
PID 424 wrote to memory of 4328	424	explorgu.exe	goldprimeldlldf.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4328 wrote to memory of 5056	4328	goldprimeldlldf.exe	RegAsm.exe
PID 4980 wrote to memory of 3444	4980	explorha.exe	go.exe
PID 4980 wrote to memory of 3444	4980	explorha.exe	go.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3064

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe
"C:\Users\Admin\AppData\Local\Temp\26121a6c86c1d4500587baa28347bc27612f064a77008db86a6c9c3065f67d1f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4368

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:424

C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:692

C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:4704

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe
"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4980

C:\Users\Admin\AppData\Local\Temp\1000042001\1325eeeae7.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\1325eeeae7.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:1112

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
4⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3edd3cb8,0x7ffb3edd3cc8,0x7ffb3edd3cd8
6⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
6⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
6⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
6⤵
PID:584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3256 /prefetch:8
6⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
6⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
6⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
6⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
6⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3116 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
6⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
6⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
6⤵
PID:6840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5583328925047381538,16079852937424471178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
6⤵
PID:6848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
5⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3edd3cb8,0x7ffb3edd3cc8,0x7ffb3edd3cd8
6⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3edd3cb8,0x7ffb3edd3cc8,0x7ffb3edd3cd8
6⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:768

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5728

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6812

C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe
"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:1552

C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe
"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001055001\file300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Users\Admin\Pictures\U2USE9Ra2PH86K3J1s8VHSUG.exe
"C:\Users\Admin\Pictures\U2USE9Ra2PH86K3J1s8VHSUG.exe"
4⤵
- Executes dropped EXE
PID:5212

C:\Users\Admin\AppData\Local\Temp\u40s.0.exe
"C:\Users\Admin\AppData\Local\Temp\u40s.0.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"
6⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe
"C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe"
7⤵
- Executes dropped EXE
PID:5504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FIIJJKKFHI.exe
8⤵
PID:3728

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
9⤵
- Runs ping.exe
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 3484
6⤵
- Program crash
PID:6512

C:\Users\Admin\AppData\Local\Temp\u40s.1.exe
"C:\Users\Admin\AppData\Local\Temp\u40s.1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6520

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe
"C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe
"C:\Users\Admin\Pictures\EKb0NYH4yPgtjnTIj2qfRL8O.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:6364

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:6308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:6608

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:1028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:2868

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:4424

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:3980

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe
"C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe
"C:\Users\Admin\Pictures\EhYXhYGLnLV8VSdbD8cTBq9A.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:6256

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:4476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe
"C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe
"C:\Users\Admin\Pictures\ooNsLBPf6tZ2Yd1wW52HaYaB.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:6852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6968

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:6824

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:6372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:3708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6196

C:\Users\Admin\Pictures\tW8QawWbYo8OHMYJg4S2hPiU.exe
"C:\Users\Admin\Pictures\tW8QawWbYo8OHMYJg4S2hPiU.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 532
6⤵
- Program crash
PID:6420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 504
6⤵
- Program crash
PID:6644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 880
5⤵
- Program crash
PID:6116

C:\Users\Admin\Pictures\F1CMsOeEo5X1pqEkB18N9JzS.exe
"C:\Users\Admin\Pictures\F1CMsOeEo5X1pqEkB18N9JzS.exe"
4⤵
- Executes dropped EXE
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 1272
5⤵
- Program crash
PID:7080

C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe
"C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe" --silent --allusers=0
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:4280

C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b8be1d0,0x6b8be1dc,0x6b8be1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5764

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\HYFxJJHfY3Nz6YNWQZKBkpGn.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\HYFxJJHfY3Nz6YNWQZKBkpGn.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532

C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe
"C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4280 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329063333" --session-guid=7478d726-9f4e-4a97-8440-947e14411507 --server-tracking-blob=ZjdlNjhkZGViZTgyZmNhODQ1M2FkZjk2ZmQwNTk1NGU3MTFjMjgwMzM4MjBhZWQyOGZiYTg1Y2Y4MTFkODllYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE2OTQwMDcuNjc5MyIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjdmYzc1MTI1LWY3ZmUtNGY0NS04YjIxLWU5ODA0Njk1OTExNSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C04000000000000
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:772

C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe
C:\Users\Admin\Pictures\HYFxJJHfY3Nz6YNWQZKBkpGn.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6af3e1d0,0x6af3e1dc,0x6af3e1e8
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6340

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
5⤵
- Executes dropped EXE
PID:6220

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5648

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403290633331\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xf60040,0xf6004c,0xf60058
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5576

C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exe
"C:\Users\Admin\Pictures\nSZX9fVEo9TfRkLprb5h5d0I.exe"
4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6272

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5988 -ip 5988
1⤵
PID:6008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5776 -ip 5776
1⤵
PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5776 -ip 5776
1⤵
PID:6572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5748 -ip 5748
1⤵
PID:7012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4132 -ip 4132
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
1⤵
- Executes dropped EXE
PID:6396

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:880

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5944

C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001050001\NewB.exe
1⤵
- Executes dropped EXE
PID:6908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery