strrat | 4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	x.exe

Blocklisted process makes network request 40 IoCs

flow	pid	Process
5	2504	powershell.exe
6	2504	powershell.exe
9	2460	wscript.exe
11	2460	wscript.exe
14	2460	wscript.exe
15	2460	wscript.exe
17	2460	wscript.exe
18	2460	wscript.exe
19	2460	wscript.exe
20	2460	wscript.exe
22	2460	wscript.exe
23	2460	wscript.exe
25	2460	wscript.exe
26	2460	wscript.exe
27	2460	wscript.exe
28	2460	wscript.exe
30	2460	wscript.exe
31	2460	wscript.exe
33	2460	wscript.exe
34	2460	wscript.exe
35	2460	wscript.exe
36	2460	wscript.exe
38	2460	wscript.exe
39	2460	wscript.exe
41	2460	wscript.exe
42	2460	wscript.exe
43	2460	wscript.exe
45	2460	wscript.exe
46	2460	wscript.exe
47	2460	wscript.exe
49	2460	wscript.exe
59	2460	wscript.exe
66	2460	wscript.exe
68	2460	wscript.exe
74	2460	wscript.exe
76	2460	wscript.exe
79	2460	wscript.exe
81	2460	wscript.exe
82	2460	wscript.exe
84	2460	wscript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.JS	wscript.exe

Executes dropped EXE 56 IoCs

pid	Process
2472	EmbraTor Mac Smash Bullet.exe
1856	x.exe
1840	CL_Debug_Log.txt
1964	Helper.exe
1952	Helper.exe
676	Helper.exe
2896	Helper.exe
2872	Helper.exe
1320	Helper.exe
2104	Helper.exe
2084	Helper.exe
2792	Helper.exe
2324	Helper.exe
2464	Helper.exe
2244	Helper.exe
2852	Helper.exe
2960	Helper.exe
2840	Helper.exe
2788	Helper.exe
1576	Helper.exe
2012	Helper.exe
688	Helper.exe
1548	Helper.exe
2700	Helper.exe
3056	Helper.exe
2556	Helper.exe
1820	Helper.exe
1716	Helper.exe
1316	Helper.exe
2024	Helper.exe
1580	Helper.exe
1120	Helper.exe
2748	Helper.exe
1796	Helper.exe
2008	Helper.exe
2132	Helper.exe
2816	Helper.exe
848	Helper.exe
2196	Helper.exe
1824	Helper.exe
1760	Helper.exe
1512	Helper.exe
2824	tor.exe
2304	Helper.exe
1364	Helper.exe
2480	Helper.exe
2740	Helper.exe
1644	Helper.exe
1652	Helper.exe
2088	Helper.exe
2432	Helper.exe
1956	Helper.exe
2868	Helper.exe
2944	Helper.exe
2832	Helper.exe
3044	Helper.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	x.exe

Loads dropped DLL 14 IoCs

pid	Process
2904	14052163e50c197697c64b143.exe
2904	14052163e50c197697c64b143.exe
2960	WScript.exe
1856	x.exe
2092	taskeng.exe
2080	Process not Found
2872	Helper.exe
2872	Helper.exe
2824	tor.exe
2824	tor.exe
2824	tor.exe
2824	tor.exe
2824	tor.exe
2824	tor.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Antimalware Service Executable.JS\""	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1856-59-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-70-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-71-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-75-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-81-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-86-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-87-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-90-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-91-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-92-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-99-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/files/0x0006000000014b4c-101.dat	autoit_exe
behavioral1/memory/1856-100-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-104-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/memory/1856-105-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe
behavioral1/files/0x0007000000014a9a-109.dat	autoit_exe
behavioral1/memory/1856-112-0x00000000001C0000-0x00000000013E6000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2816	2872	Helper.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2992	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1552	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2504	powershell.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeRestorePrivilege	1840	CL_Debug_Log.txt
Token: 35	1840	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1840	CL_Debug_Log.txt
Token: SeSecurityPrivilege	1840	CL_Debug_Log.txt
Token: SeRestorePrivilege	2816	Helper.exe
Token: 35	2816	Helper.exe
Token: SeSecurityPrivilege	2816	Helper.exe
Token: SeSecurityPrivilege	2816	Helper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1856	x.exe
1856	x.exe
1856	x.exe
1964	Helper.exe
1964	Helper.exe
1952	Helper.exe
1964	Helper.exe
1964	Helper.exe
1952	Helper.exe
1952	Helper.exe
1952	Helper.exe
676	Helper.exe
676	Helper.exe
676	Helper.exe
2896	Helper.exe
2896	Helper.exe
2896	Helper.exe
676	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2104	Helper.exe
2104	Helper.exe
2084	Helper.exe
1320	Helper.exe
1320	Helper.exe
1320	Helper.exe
2084	Helper.exe
2104	Helper.exe
2104	Helper.exe
2084	Helper.exe
2084	Helper.exe
2324	Helper.exe
2324	Helper.exe
2464	Helper.exe
2792	Helper.exe
2324	Helper.exe
2324	Helper.exe
2792	Helper.exe
2464	Helper.exe
2792	Helper.exe
2464	Helper.exe
2792	Helper.exe
2464	Helper.exe
2244	Helper.exe
2852	Helper.exe
2852	Helper.exe
2852	Helper.exe
2244	Helper.exe
2244	Helper.exe
2244	Helper.exe
2960	Helper.exe
2960	Helper.exe
2960	Helper.exe
2960	Helper.exe
2840	Helper.exe
2840	Helper.exe
2788	Helper.exe
1576	Helper.exe
2840	Helper.exe
2840	Helper.exe
1576	Helper.exe
1576	Helper.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1856	x.exe
1856	x.exe
1856	x.exe
1964	Helper.exe
1964	Helper.exe
1952	Helper.exe
1964	Helper.exe
1964	Helper.exe
1952	Helper.exe
1952	Helper.exe
1952	Helper.exe
676	Helper.exe
676	Helper.exe
676	Helper.exe
2896	Helper.exe
2896	Helper.exe
2896	Helper.exe
676	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2872	Helper.exe
2104	Helper.exe
2104	Helper.exe
2084	Helper.exe
1320	Helper.exe
1320	Helper.exe
1320	Helper.exe
2084	Helper.exe
2104	Helper.exe
2104	Helper.exe
2084	Helper.exe
2084	Helper.exe
2324	Helper.exe
2324	Helper.exe
2464	Helper.exe
2792	Helper.exe
2324	Helper.exe
2324	Helper.exe
2792	Helper.exe
2464	Helper.exe
2792	Helper.exe
2464	Helper.exe
2792	Helper.exe
2464	Helper.exe
2244	Helper.exe
2852	Helper.exe
2852	Helper.exe
2852	Helper.exe
2244	Helper.exe
2244	Helper.exe
2244	Helper.exe
2960	Helper.exe
2960	Helper.exe
2960	Helper.exe
2960	Helper.exe
2840	Helper.exe
2840	Helper.exe
2788	Helper.exe
1576	Helper.exe
2840	Helper.exe
2840	Helper.exe
1576	Helper.exe
1576	Helper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2472	EmbraTor Mac Smash Bullet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1296	2904	14052163e50c197697c64b143.exe	28
PID 2904 wrote to memory of 1296	2904	14052163e50c197697c64b143.exe	28
PID 2904 wrote to memory of 1296	2904	14052163e50c197697c64b143.exe	28
PID 2904 wrote to memory of 1296	2904	14052163e50c197697c64b143.exe	28
PID 2904 wrote to memory of 2960	2904	14052163e50c197697c64b143.exe	29
PID 2904 wrote to memory of 2960	2904	14052163e50c197697c64b143.exe	29
PID 2904 wrote to memory of 2960	2904	14052163e50c197697c64b143.exe	29
PID 2904 wrote to memory of 2960	2904	14052163e50c197697c64b143.exe	29
PID 2904 wrote to memory of 2796	2904	14052163e50c197697c64b143.exe	30
PID 2904 wrote to memory of 2796	2904	14052163e50c197697c64b143.exe	30
PID 2904 wrote to memory of 2796	2904	14052163e50c197697c64b143.exe	30
PID 2904 wrote to memory of 2796	2904	14052163e50c197697c64b143.exe	30
PID 2904 wrote to memory of 2668	2904	14052163e50c197697c64b143.exe	31
PID 2904 wrote to memory of 2668	2904	14052163e50c197697c64b143.exe	31
PID 2904 wrote to memory of 2668	2904	14052163e50c197697c64b143.exe	31
PID 2904 wrote to memory of 2668	2904	14052163e50c197697c64b143.exe	31
PID 2904 wrote to memory of 2472	2904	14052163e50c197697c64b143.exe	32
PID 2904 wrote to memory of 2472	2904	14052163e50c197697c64b143.exe	32
PID 2904 wrote to memory of 2472	2904	14052163e50c197697c64b143.exe	32
PID 2904 wrote to memory of 2472	2904	14052163e50c197697c64b143.exe	32
PID 2796 wrote to memory of 2504	2796	WScript.exe	33
PID 2796 wrote to memory of 2504	2796	WScript.exe	33
PID 2796 wrote to memory of 2504	2796	WScript.exe	33
PID 2796 wrote to memory of 2504	2796	WScript.exe	33
PID 1296 wrote to memory of 2460	1296	WScript.exe	35
PID 1296 wrote to memory of 2460	1296	WScript.exe	35
PID 1296 wrote to memory of 2460	1296	WScript.exe	35
PID 1296 wrote to memory of 2460	1296	WScript.exe	35
PID 2960 wrote to memory of 1856	2960	WScript.exe	36
PID 2960 wrote to memory of 1856	2960	WScript.exe	36
PID 2960 wrote to memory of 1856	2960	WScript.exe	36
PID 2960 wrote to memory of 1856	2960	WScript.exe	36
PID 1856 wrote to memory of 1840	1856	x.exe	39
PID 1856 wrote to memory of 1840	1856	x.exe	39
PID 1856 wrote to memory of 1840	1856	x.exe	39
PID 1856 wrote to memory of 1840	1856	x.exe	39
PID 1856 wrote to memory of 2580	1856	x.exe	44
PID 1856 wrote to memory of 2580	1856	x.exe	44
PID 1856 wrote to memory of 2580	1856	x.exe	44
PID 1856 wrote to memory of 2580	1856	x.exe	44
PID 2580 wrote to memory of 2992	2580	cmd.exe	46
PID 2580 wrote to memory of 2992	2580	cmd.exe	46
PID 2580 wrote to memory of 2992	2580	cmd.exe	46
PID 2580 wrote to memory of 2992	2580	cmd.exe	46
PID 1856 wrote to memory of 1316	1856	x.exe	47
PID 1856 wrote to memory of 1316	1856	x.exe	47
PID 1856 wrote to memory of 1316	1856	x.exe	47
PID 1856 wrote to memory of 1316	1856	x.exe	47
PID 1316 wrote to memory of 1552	1316	cmd.exe	50
PID 1316 wrote to memory of 1552	1316	cmd.exe	50
PID 1316 wrote to memory of 1552	1316	cmd.exe	50
PID 1316 wrote to memory of 1552	1316	cmd.exe	50
PID 2092 wrote to memory of 1964	2092	taskeng.exe	52
PID 2092 wrote to memory of 1964	2092	taskeng.exe	52
PID 2092 wrote to memory of 1964	2092	taskeng.exe	52
PID 2092 wrote to memory of 1952	2092	taskeng.exe	53
PID 2092 wrote to memory of 1952	2092	taskeng.exe	53
PID 2092 wrote to memory of 1952	2092	taskeng.exe	53
PID 2092 wrote to memory of 676	2092	taskeng.exe	54
PID 2092 wrote to memory of 676	2092	taskeng.exe	54
PID 2092 wrote to memory of 676	2092	taskeng.exe	54
PID 2092 wrote to memory of 2896	2092	taskeng.exe	55
PID 2092 wrote to memory of 2896	2092	taskeng.exe	55
PID 2092 wrote to memory of 2896	2092	taskeng.exe	55

C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b143.exe
"C:\Users\Admin\AppData\Local\Temp\14052163e50c197697c64b143.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Antimalware Service Executable.JS"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Antimalware Service Executable.JS"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:2460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MsMpEng.js"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\x.exe
    "C:\Users\Admin\AppData\Local\Temp\x.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
        5⤵
        Creates scheduled task(s)
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 0
        5⤵
        Delays execution with timeout.exe
        
        PID:1552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Windows Driver Foundation.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\ProgramData\rrrrrrrr.ps1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Java Install.jar"
  2⤵
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe
  "C:\Users\Admin\AppData\Local\Temp\EmbraTor Mac Smash Bullet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2472

C:\Windows\system32\taskeng.exe
taskeng.exe {C2D580E4-8650-4C35-BF11-7BF94CEC4A3D} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2872
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1952
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:676
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2896
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2084
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1320
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2464
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2104
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2244
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2852
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2840
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:1548
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2788
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:688
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2556
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:3056
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1820
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:1120
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1580
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2748
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2008
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2196
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:848
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:1512
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2304
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1364
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2740
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2480
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2088
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:2868
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:1956
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:3044
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

Virtualization/Sandbox Evasion