amadey | e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92

Windows Service

T1543.003

Processes:

GVB4WVbt6lub5QXa6WvoEyUW.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	GVB4WVbt6lub5QXa6WvoEyUW.exe

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description pid process target process

PID 3040 created 2852 3040 RegAsm.exe sihost.exe

description	pid	process	target process
PID 3040 created 2852	3040	RegAsm.exe	sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

845765797d.exeamert.exeexplorha.exeexplorgu.exeGVB4WVbt6lub5QXa6WvoEyUW.exeexplorha.exee672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	845765797d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GVB4WVbt6lub5QXa6WvoEyUW.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

43 5292 rundll32.exe
51 5340 rundll32.exe
86 1904 rundll32.exe
103 6284 rundll32.exe
51 5340 rundll32.exe
103 6284 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

5300 netsh.exe
3128 netsh.exe
1680 netsh.exe

flow	pid	process
43	5292	rundll32.exe
51	5340	rundll32.exe
86	1904	rundll32.exe
103	6284	rundll32.exe
51	5340	rundll32.exe
103	6284	rundll32.exe

pid	process
5300	netsh.exe
3128	netsh.exe
1680	netsh.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeexplorha.exeGVB4WVbt6lub5QXa6WvoEyUW.exe845765797d.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GVB4WVbt6lub5QXa6WvoEyUW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	845765797d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	845765797d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GVB4WVbt6lub5QXa6WvoEyUW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 37 IoCs

Processes:

explorha.exe845765797d.exego.exeamert.exeexplorha.exeexplorgu.exekoooooo.exeNewB.exefile300un.exensEk8tLapmXJUwPLNptpRYaf.exe3tAUUAFnOsGnIZlZOiWwaT0A.exepDTVFZcmrgmUEckZDi5iM2jk.exeEaA7jWUT5Mk5zv8oV8rBf6pX.exeujoASDvSG0oFc7iaVfomXa4f.exeu4e0.0.exeu4e0.1.exe3tAUUAFnOsGnIZlZOiWwaT0A.exeujoASDvSG0oFc7iaVfomXa4f.exensEk8tLapmXJUwPLNptpRYaf.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeGVB4WVbt6lub5QXa6WvoEyUW.exeAssistant_108.0.5067.20_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.execsrss.exeHCAAEGIJKE.exeinjector.exewindefender.exewindefender.exeexplorha.exeNewB.exeexplorha.exeNewB.exe

pid	process
2452	explorha.exe
4596	845765797d.exe
2520	go.exe
5776	amert.exe
1948	explorha.exe
4028	explorgu.exe
5492	koooooo.exe
1112	NewB.exe
6132	file300un.exe
5444	nsEk8tLapmXJUwPLNptpRYaf.exe
588	3tAUUAFnOsGnIZlZOiWwaT0A.exe
5688	pDTVFZcmrgmUEckZDi5iM2jk.exe
4768	EaA7jWUT5Mk5zv8oV8rBf6pX.exe
5960	ujoASDvSG0oFc7iaVfomXa4f.exe
4616	u4e0.0.exe
6196	u4e0.1.exe
6516	3tAUUAFnOsGnIZlZOiWwaT0A.exe
6532	ujoASDvSG0oFc7iaVfomXa4f.exe
6540	nsEk8tLapmXJUwPLNptpRYaf.exe
6880	q6uCvgSm9hhrjhUiHod1QGuX.exe
6912	q6uCvgSm9hhrjhUiHod1QGuX.exe
7112	q6uCvgSm9hhrjhUiHod1QGuX.exe
6208	q6uCvgSm9hhrjhUiHod1QGuX.exe
6304	q6uCvgSm9hhrjhUiHod1QGuX.exe
5460	GVB4WVbt6lub5QXa6WvoEyUW.exe
5368	Assistant_108.0.5067.20_Setup.exe_sfx.exe
6984	assistant_installer.exe
6932	assistant_installer.exe
5284	csrss.exe
6712	HCAAEGIJKE.exe
7068	injector.exe
4340	windefender.exe
3972	windefender.exe
6764	explorha.exe
1020	NewB.exe
6820	explorha.exe
5488	NewB.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exee672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exe845765797d.exeamert.exeexplorha.exeexplorgu.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	845765797d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Wine	explorha.exe

Loads dropped DLL 17 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exeu4e0.0.exerundll32.exeassistant_installer.exeassistant_installer.exe

pid	process
5272	rundll32.exe
5292	rundll32.exe
5340	rundll32.exe
5256	rundll32.exe
1904	rundll32.exe
6880	q6uCvgSm9hhrjhUiHod1QGuX.exe
6912	q6uCvgSm9hhrjhUiHod1QGuX.exe
7112	q6uCvgSm9hhrjhUiHod1QGuX.exe
6208	q6uCvgSm9hhrjhUiHod1QGuX.exe
6304	q6uCvgSm9hhrjhUiHod1QGuX.exe
4616	u4e0.0.exe
4616	u4e0.0.exe
6284	rundll32.exe
6984	assistant_installer.exe
6984	assistant_installer.exe
6932	assistant_installer.exe
6932	assistant_installer.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe	themida
behavioral2/memory/5460-1214-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida
behavioral2/memory/5460-1218-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida
behavioral2/memory/5460-1221-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida
behavioral2/memory/5460-1226-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida
behavioral2/memory/5460-1228-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida
behavioral2/memory/5460-1230-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida
behavioral2/memory/5460-1231-0x00007FF7E9F00000-0x00007FF7EAA0A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

ujoASDvSG0oFc7iaVfomXa4f.exe3tAUUAFnOsGnIZlZOiWwaT0A.execsrss.exeexplorha.exensEk8tLapmXJUwPLNptpRYaf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\845765797d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\845765797d.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	nsEk8tLapmXJUwPLNptpRYaf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

GVB4WVbt6lub5QXa6WvoEyUW.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GVB4WVbt6lub5QXa6WvoEyUW.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

q6uCvgSm9hhrjhUiHod1QGuX.exeq6uCvgSm9hhrjhUiHod1QGuX.exe

description	ioc	process
File opened (read-only)	\??\D:	q6uCvgSm9hhrjhUiHod1QGuX.exe
File opened (read-only)	\??\F:	q6uCvgSm9hhrjhUiHod1QGuX.exe
File opened (read-only)	\??\D:	q6uCvgSm9hhrjhUiHod1QGuX.exe
File opened (read-only)	\??\F:	q6uCvgSm9hhrjhUiHod1QGuX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 pastebin.com
63 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.myip.com
27 ipinfo.io
97 api.myip.com
99 ipinfo.io
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
1	pastebin.com
63	pastebin.com

flow	ioc
27	api.myip.com
27	ipinfo.io
97	api.myip.com
99	ipinfo.io

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe	autoit_exe

Drops file in System32 directory 17 IoCs

Processes:

GVB4WVbt6lub5QXa6WvoEyUW.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	GVB4WVbt6lub5QXa6WvoEyUW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	GVB4WVbt6lub5QXa6WvoEyUW.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	GVB4WVbt6lub5QXa6WvoEyUW.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	GVB4WVbt6lub5QXa6WvoEyUW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exeamert.exeexplorha.exeexplorgu.exeGVB4WVbt6lub5QXa6WvoEyUW.exeexplorha.exeexplorha.exe

pid	process
1532	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
2452	explorha.exe
5776	amert.exe
1948	explorha.exe
4028	explorgu.exe
5460	GVB4WVbt6lub5QXa6WvoEyUW.exe
6764	explorha.exe
6820	explorha.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

koooooo.exefile300un.exeEaA7jWUT5Mk5zv8oV8rBf6pX.exe

description	pid	process	target process
PID 5492 set thread context of 4516	5492	koooooo.exe	RegAsm.exe
PID 6132 set thread context of 1392	6132	file300un.exe	regasm.exe
PID 4768 set thread context of 3040	4768	EaA7jWUT5Mk5zv8oV8rBf6pX.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

ujoASDvSG0oFc7iaVfomXa4f.exensEk8tLapmXJUwPLNptpRYaf.exe3tAUUAFnOsGnIZlZOiWwaT0A.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	ujoASDvSG0oFc7iaVfomXa4f.exe
File opened (read-only)	\??\VBoxMiniRdrDN	nsEk8tLapmXJUwPLNptpRYaf.exe
File opened (read-only)	\??\VBoxMiniRdrDN	3tAUUAFnOsGnIZlZOiWwaT0A.exe

Drops file in Windows directory 10 IoCs

Processes:

csrss.exe3tAUUAFnOsGnIZlZOiWwaT0A.exeamert.exensEk8tLapmXJUwPLNptpRYaf.exeujoASDvSG0oFc7iaVfomXa4f.exee672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	3tAUUAFnOsGnIZlZOiWwaT0A.exe
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File opened for modification	C:\Windows\rss	nsEk8tLapmXJUwPLNptpRYaf.exe
File created	C:\Windows\rss\csrss.exe	nsEk8tLapmXJUwPLNptpRYaf.exe
File opened for modification	C:\Windows\rss	ujoASDvSG0oFc7iaVfomXa4f.exe
File created	C:\Windows\rss\csrss.exe	ujoASDvSG0oFc7iaVfomXa4f.exe
File created	C:\Windows\rss\csrss.exe	3tAUUAFnOsGnIZlZOiWwaT0A.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\explorha.job	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3040 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3040	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6064	5492	WerFault.exe	koooooo.exe
3864	4768	WerFault.exe	EaA7jWUT5Mk5zv8oV8rBf6pX.exe
6068	3040	WerFault.exe	RegAsm.exe
4432	3040	WerFault.exe	RegAsm.exe
6280	5688	WerFault.exe	pDTVFZcmrgmUEckZDi5iM2jk.exe
3600	4616	WerFault.exe	u4e0.0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u4e0.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4e0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4e0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4e0.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

u4e0.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u4e0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u4e0.0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

6100 schtasks.exe
6656 schtasks.exe
6652 schtasks.exe

pid	process
6100	schtasks.exe
6656	schtasks.exe
6652	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

ujoASDvSG0oFc7iaVfomXa4f.exe3tAUUAFnOsGnIZlZOiWwaT0A.exepowershell.exepowershell.exepowershell.exewindefender.exensEk8tLapmXJUwPLNptpRYaf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	nsEk8tLapmXJUwPLNptpRYaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	nsEk8tLapmXJUwPLNptpRYaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	nsEk8tLapmXJUwPLNptpRYaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	nsEk8tLapmXJUwPLNptpRYaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	nsEk8tLapmXJUwPLNptpRYaf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	nsEk8tLapmXJUwPLNptpRYaf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	ujoASDvSG0oFc7iaVfomXa4f.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	ujoASDvSG0oFc7iaVfomXa4f.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

q6uCvgSm9hhrjhUiHod1QGuX.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	q6uCvgSm9hhrjhUiHod1QGuX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	q6uCvgSm9hhrjhUiHod1QGuX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	q6uCvgSm9hhrjhUiHod1QGuX.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4120 PING.EXE

pid	process
4120	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exemsedge.exemsedge.exemsedge.exemsedge.exeamert.exerundll32.exepowershell.exemsedge.exeidentity_helper.exeexplorha.exeexplorgu.exeRegAsm.exepowershell.exepowershell.exepowershell.exeRegAsm.exedialer.exerundll32.exeu4e0.0.exe

pid	process
1532	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
1532	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
2452	explorha.exe
2452	explorha.exe
4796	msedge.exe
4796	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
1876	msedge.exe
1876	msedge.exe
2052	msedge.exe
2052	msedge.exe
5776	amert.exe
5776	amert.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5292	rundll32.exe
5460	powershell.exe
5460	powershell.exe
5460	powershell.exe
5724	msedge.exe
5724	msedge.exe
2836	identity_helper.exe
2836	identity_helper.exe
1948	explorha.exe
1948	explorha.exe
4028	explorgu.exe
4028	explorgu.exe
4516	RegAsm.exe
4516	RegAsm.exe
4516	RegAsm.exe
4516	RegAsm.exe
2876	powershell.exe
2876	powershell.exe
1864	powershell.exe
1864	powershell.exe
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe
3040	RegAsm.exe
3040	RegAsm.exe
2876	powershell.exe
1864	powershell.exe
2088	dialer.exe
2088	dialer.exe
2088	dialer.exe
2088	dialer.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
4616	u4e0.0.exe
4616	u4e0.0.exe
1904	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

powershell.exeregasm.exepowershell.exepowershell.exepowershell.exepowershell.exensEk8tLapmXJUwPLNptpRYaf.exe3tAUUAFnOsGnIZlZOiWwaT0A.exeujoASDvSG0oFc7iaVfomXa4f.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepowershell.exepowershell.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	5460	powershell.exe
Token: SeDebugPrivilege	1392	regasm.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	5444	nsEk8tLapmXJUwPLNptpRYaf.exe
Token: SeDebugPrivilege	588	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Token: SeImpersonatePrivilege	5444	nsEk8tLapmXJUwPLNptpRYaf.exe
Token: SeImpersonatePrivilege	588	3tAUUAFnOsGnIZlZOiWwaT0A.exe
Token: SeDebugPrivilege	5960	ujoASDvSG0oFc7iaVfomXa4f.exe
Token: SeImpersonatePrivilege	5960	ujoASDvSG0oFc7iaVfomXa4f.exe
Token: SeDebugPrivilege	6928	powershell.exe
Token: SeDebugPrivilege	6952	powershell.exe
Token: SeDebugPrivilege	6936	powershell.exe
Token: SeDebugPrivilege	6572	powershell.exe
Token: SeDebugPrivilege	6972	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	6904	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	6956	powershell.exe
Token: SeDebugPrivilege	6568	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeSystemEnvironmentPrivilege	5284	csrss.exe
Token: SeSecurityPrivilege	3040	sc.exe
Token: SeSecurityPrivilege	3040	sc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

go.exemsedge.exeu4e0.1.exe

pid	process
2520	go.exe
2520	go.exe
2520	go.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

go.exemsedge.exeu4e0.1.exe

pid	process
2520	go.exe
2520	go.exe
2520	go.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe
6196	u4e0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exeexplorha.exego.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1532 wrote to memory of 2452	1532	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe	explorha.exe
PID 1532 wrote to memory of 2452	1532	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe	explorha.exe
PID 1532 wrote to memory of 2452	1532	e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe	explorha.exe
PID 2452 wrote to memory of 4596	2452	explorha.exe	845765797d.exe
PID 2452 wrote to memory of 4596	2452	explorha.exe	845765797d.exe
PID 2452 wrote to memory of 4596	2452	explorha.exe	845765797d.exe
PID 2452 wrote to memory of 2260	2452	explorha.exe	explorha.exe
PID 2452 wrote to memory of 2260	2452	explorha.exe	explorha.exe
PID 2452 wrote to memory of 2260	2452	explorha.exe	explorha.exe
PID 2452 wrote to memory of 2520	2452	explorha.exe	go.exe
PID 2452 wrote to memory of 2520	2452	explorha.exe	go.exe
PID 2452 wrote to memory of 2520	2452	explorha.exe	go.exe
PID 2520 wrote to memory of 4828	2520	go.exe	msedge.exe
PID 2520 wrote to memory of 4828	2520	go.exe	msedge.exe
PID 4828 wrote to memory of 1920	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1920	4828	msedge.exe	msedge.exe
PID 2520 wrote to memory of 2236	2520	go.exe	msedge.exe
PID 2520 wrote to memory of 2236	2520	go.exe	msedge.exe
PID 2236 wrote to memory of 5032	2236	msedge.exe	msedge.exe
PID 2236 wrote to memory of 5032	2236	msedge.exe	msedge.exe
PID 2520 wrote to memory of 1936	2520	go.exe	msedge.exe
PID 2520 wrote to memory of 1936	2520	go.exe	msedge.exe
PID 1936 wrote to memory of 2356	1936	msedge.exe	msedge.exe
PID 1936 wrote to memory of 2356	1936	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1696	4828	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2852

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe
"C:\Users\Admin\AppData\Local\Temp\e672e78fb7b85da95197a7f4d02e84b989f0c4831451d13bdefc1dd50eec0c92.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\845765797d.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:4596

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd8
5⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
5⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
5⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
5⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
5⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
5⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
5⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
5⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
5⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5724

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
5⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
5⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
5⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
5⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,16727302503662276471,9786862933659491219,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5732 /prefetch:2
5⤵
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
4⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd8
5⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,11730444883340221998,15796735358467417627,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
5⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,11730444883340221998,15796735358467417627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1353cb8,0x7ffee1353cc8,0x7ffee1353cd8
5⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,608283380746736222,8905572082569204458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:5272

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5292

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:5312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\1001058001\koooooo.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 460
3⤵
- Program crash
PID:6064

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:6100

C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1001060001\file300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe
"C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe
"C:\Users\Admin\Pictures\nsEk8tLapmXJUwPLNptpRYaf.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:2248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4552

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:3128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6956

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:6656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:5300

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:3196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:6572

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
- Executes dropped EXE
PID:7068

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:6652

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
- Executes dropped EXE
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:1156

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe
"C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe
"C:\Users\Admin\Pictures\3tAUUAFnOsGnIZlZOiWwaT0A.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6952

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5768

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe
"C:\Users\Admin\Pictures\pDTVFZcmrgmUEckZDi5iM2jk.exe"
4⤵
- Executes dropped EXE
PID:5688

C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4e0.0.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
6⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe
"C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe"
7⤵
- Executes dropped EXE
PID:6712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HCAAEGIJKE.exe
8⤵
PID:5384

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
9⤵
- Runs ping.exe
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2848
6⤵
- Program crash
PID:3600

C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4e0.1.exe"
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6196

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:6568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1160
5⤵
- Program crash
PID:6280

C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe
"C:\Users\Admin\Pictures\EaA7jWUT5Mk5zv8oV8rBf6pX.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 532
6⤵
- Program crash
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 552
6⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 884
5⤵
- Program crash
PID:3864

C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe
"C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe
"C:\Users\Admin\Pictures\ujoASDvSG0oFc7iaVfomXa4f.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5380

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:5300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6904

C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
"C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe" --silent --allusers=0
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:6880

C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x298,0x6e70e1d0,0x6e70e1dc,0x6e70e1e8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6912

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q6uCvgSm9hhrjhUiHod1QGuX.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\q6uCvgSm9hhrjhUiHod1QGuX.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7112

C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
"C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6880 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240329140620" --session-guid=e69f7e68-1247-4e2f-9070-8055d54aa567 --server-tracking-blob=NzhhMjMyOGUzNzMxMDZmYjE4MTkyYWUxODdkM2I1MzkwODU1M2U3N2RlNGU5OWU0OTlmOTNlMTgxYTRmYTMwMjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N180NTYiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTE3MjExNjkuNjI3NCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N180NTYiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6IjhkZmNkNTc2LWEyZDQtNGE1Yy04ODRmLTlkNDMwMzRkNTE0NyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4805000000000000
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
PID:6208

C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe
C:\Users\Admin\Pictures\q6uCvgSm9hhrjhUiHod1QGuX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.35 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6dd8e1d0,0x6dd8e1dc,0x6dd8e1e8
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6304

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
5⤵
- Executes dropped EXE
PID:5368

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe" --version
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6984

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403291406201\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x1190040,0x119004c,0x1190058
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6932

C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe
"C:\Users\Admin\Pictures\GVB4WVbt6lub5QXa6WvoEyUW.exe"
4⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:5256

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5492 -ip 5492
1⤵
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4768 -ip 4768
1⤵
PID:256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3040 -ip 3040
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3040 -ip 3040
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5688 -ip 5688
1⤵
PID:6216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4616 -ip 4616
1⤵
PID:5080

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3972

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6764

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6820

C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe
1⤵
- Executes dropped EXE
PID:5488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion