amadey | 713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6

Windows Service

T1543.003

Processes:

UFKR18i8F2F8sCqD8fhES1AS.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	UFKR18i8F2F8sCqD8fhES1AS.exe

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

file300un.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

UFKR18i8F2F8sCqD8fhES1AS.exefile300un.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	UFKR18i8F2F8sCqD8fhES1AS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0"	file300un.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

chrosha.exeexplorha.exeUFKR18i8F2F8sCqD8fhES1AS.exe713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeexplorha.exeexplorha.exeamert.exe0cff54a004.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	UFKR18i8F2F8sCqD8fhES1AS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0cff54a004.exe

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

44 2016 rundll32.exe
45 1408 rundll32.exe
93 5840 rundll32.exe
98 5904 rundll32.exe
45 1408 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5936 netsh.exe
3992 netsh.exe

flow	pid	process
44	2016	rundll32.exe
45	1408	rundll32.exe
93	5840	rundll32.exe
98	5904	rundll32.exe
45	1408	rundll32.exe

pid	process
5936	netsh.exe
3992	netsh.exe

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorha.exeamert.exe0cff54a004.exeUFKR18i8F2F8sCqD8fhES1AS.exe713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeexplorha.exechrosha.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cff54a004.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	UFKR18i8F2F8sCqD8fhES1AS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	UFKR18i8F2F8sCqD8fhES1AS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cff54a004.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Drops startup file 6 IoCs

Processes:

regsvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XoVrANc5jWbxbcaSjp7I5GYy.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0uQbiFhw9rhkEhJlK2064Mvt.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jp7ljCJMMvXy7U7LgSCkn9UM.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NHMbdQwjxKWAakJwAHdK9uqs.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aaMeMlZcF2SifmTBZmhN4S7d.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E6SB4yx6VhYUn7H8tlr38Og8.bat	regsvcs.exe

Executes dropped EXE 24 IoCs

Processes:

explorha.exeexplorha.exeamert.exe7646ca2722.exe0cff54a004.exechrosha.exeexplorha.exefile300un.exemXvTe1U48oJGd9zN2dhSR0YE.exeDzQuBkvbEM6BGCsK9Sntk0ne.exehOweUv2OreQy6EE5XLgDZ7bm.exeUFKR18i8F2F8sCqD8fhES1AS.exeu1f0.0.exeu1f0.1.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exeDzQuBkvbEM6BGCsK9Sntk0ne.exehOweUv2OreQy6EE5XLgDZ7bm.exeAssistant_109.0.5097.45_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exe

pid	process
4308	explorha.exe
1728	explorha.exe
4780	amert.exe
3772	7646ca2722.exe
4136	0cff54a004.exe
2228	chrosha.exe
4772	explorha.exe
1032	file300un.exe
1836	mXvTe1U48oJGd9zN2dhSR0YE.exe
2648	DzQuBkvbEM6BGCsK9Sntk0ne.exe
3768	hOweUv2OreQy6EE5XLgDZ7bm.exe
2824	UFKR18i8F2F8sCqD8fhES1AS.exe
4548	u1f0.0.exe
5672	u1f0.1.exe
6032	wtd56cyxOffP28QyEpSNMJS9.exe
6088	wtd56cyxOffP28QyEpSNMJS9.exe
772	wtd56cyxOffP28QyEpSNMJS9.exe
5504	wtd56cyxOffP28QyEpSNMJS9.exe
5624	wtd56cyxOffP28QyEpSNMJS9.exe
544	DzQuBkvbEM6BGCsK9Sntk0ne.exe
1476	hOweUv2OreQy6EE5XLgDZ7bm.exe
3008	Assistant_109.0.5097.45_Setup.exe_sfx.exe
6116	assistant_installer.exe
5484	assistant_installer.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeexplorha.exeexplorha.exeamert.exe0cff54a004.exechrosha.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	0cff54a004.exe
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine	explorha.exe

Loads dropped DLL 15 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exerundll32.exeassistant_installer.exeassistant_installer.exe

pid	process
2856	rundll32.exe
2016	rundll32.exe
1408	rundll32.exe
5804	rundll32.exe
5840	rundll32.exe
6032	wtd56cyxOffP28QyEpSNMJS9.exe
6088	wtd56cyxOffP28QyEpSNMJS9.exe
772	wtd56cyxOffP28QyEpSNMJS9.exe
5504	wtd56cyxOffP28QyEpSNMJS9.exe
5624	wtd56cyxOffP28QyEpSNMJS9.exe
5904	rundll32.exe
6116	assistant_installer.exe
6116	assistant_installer.exe
5484	assistant_installer.exe
5484	assistant_installer.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\UFKR18i8F2F8sCqD8fhES1AS.exe	themida
behavioral2/memory/2824-398-0x00007FF7FE4A0000-0x00007FF7FEF82000-memory.dmp	themida
behavioral2/memory/2824-400-0x00007FF7FE4A0000-0x00007FF7FEF82000-memory.dmp	themida
behavioral2/memory/2824-402-0x00007FF7FE4A0000-0x00007FF7FEF82000-memory.dmp	themida
behavioral2/memory/2824-403-0x00007FF7FE4A0000-0x00007FF7FEF82000-memory.dmp	themida

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

file300un.exeUFKR18i8F2F8sCqD8fhES1AS.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0"	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1"	UFKR18i8F2F8sCqD8fhES1AS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\7646ca2722.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\7646ca2722.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\0cff54a004.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\0cff54a004.exe"	explorha.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

UFKR18i8F2F8sCqD8fhES1AS.exefile300un.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UFKR18i8F2F8sCqD8fhES1AS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

wtd56cyxOffP28QyEpSNMJS9.exewtd56cyxOffP28QyEpSNMJS9.exe

description	ioc	process
File opened (read-only)	\??\D:	wtd56cyxOffP28QyEpSNMJS9.exe
File opened (read-only)	\??\F:	wtd56cyxOffP28QyEpSNMJS9.exe
File opened (read-only)	\??\D:	wtd56cyxOffP28QyEpSNMJS9.exe
File opened (read-only)	\??\F:	wtd56cyxOffP28QyEpSNMJS9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 pastebin.com
60 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 api.myip.com
75 ipinfo.io
77 api.myip.com
79 ipinfo.io

flow	ioc
12	pastebin.com
60	pastebin.com

flow	ioc
75	api.myip.com
75	ipinfo.io
77	api.myip.com
79	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\7646ca2722.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

UFKR18i8F2F8sCqD8fhES1AS.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	UFKR18i8F2F8sCqD8fhES1AS.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	UFKR18i8F2F8sCqD8fhES1AS.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	UFKR18i8F2F8sCqD8fhES1AS.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	UFKR18i8F2F8sCqD8fhES1AS.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeexplorha.exeexplorha.exeamert.exe0cff54a004.exechrosha.exeexplorha.exeUFKR18i8F2F8sCqD8fhES1AS.exe

pid	process
1644	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
4308	explorha.exe
1728	explorha.exe
4780	amert.exe
4136	0cff54a004.exe
2228	chrosha.exe
4772	explorha.exe
2824	UFKR18i8F2F8sCqD8fhES1AS.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

file300un.exe

description pid process target process

PID 1032 set thread context of 3488 1032 file300un.exe regsvcs.exe

description	pid	process	target process
PID 1032 set thread context of 3488	1032	file300un.exe	regsvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5528 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5528	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5616	4548	WerFault.exe	u1f0.0.exe
5760	1836	WerFault.exe	mXvTe1U48oJGd9zN2dhSR0YE.exe
3456	544	WerFault.exe	DzQuBkvbEM6BGCsK9Sntk0ne.exe
5708	1476	WerFault.exe	hOweUv2OreQy6EE5XLgDZ7bm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

u1f0.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1f0.1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5376 schtasks.exe
240 schtasks.exe

pid	process
5376	schtasks.exe
240	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133579285911109863"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

wtd56cyxOffP28QyEpSNMJS9.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	wtd56cyxOffP28QyEpSNMJS9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	wtd56cyxOffP28QyEpSNMJS9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	wtd56cyxOffP28QyEpSNMJS9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	wtd56cyxOffP28QyEpSNMJS9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	wtd56cyxOffP28QyEpSNMJS9.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeexplorha.exeexplorha.exeamert.exechrome.exe0cff54a004.exerundll32.exepowershell.exechrosha.exeexplorha.exefile300un.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exeDzQuBkvbEM6BGCsK9Sntk0ne.exehOweUv2OreQy6EE5XLgDZ7bm.exe

pid	process
1644	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
1644	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
4308	explorha.exe
4308	explorha.exe
1728	explorha.exe
1728	explorha.exe
4780	amert.exe
4780	amert.exe
1592	chrome.exe
1592	chrome.exe
4136	0cff54a004.exe
4136	0cff54a004.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
1472	powershell.exe
1472	powershell.exe
1472	powershell.exe
2228	chrosha.exe
2228	chrosha.exe
4772	explorha.exe
4772	explorha.exe
1032	file300un.exe
1032	file300un.exe
2484	powershell.exe
2484	powershell.exe
2484	powershell.exe
5200	powershell.exe
5200	powershell.exe
5208	powershell.exe
5208	powershell.exe
5208	powershell.exe
5200	powershell.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
5840	rundll32.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
2648	DzQuBkvbEM6BGCsK9Sntk0ne.exe
2648	DzQuBkvbEM6BGCsK9Sntk0ne.exe
3768	hOweUv2OreQy6EE5XLgDZ7bm.exe
3768	hOweUv2OreQy6EE5XLgDZ7bm.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1592 chrome.exe
1592 chrome.exe
1592 chrome.exe

pid	process
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe
Token: SeCreatePagefilePrivilege	1592	chrome.exe
Token: SeShutdownPrivilege	1592	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7646ca2722.exechrome.exe

pid	process
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
1592	chrome.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

7646ca2722.exechrome.exeu1f0.1.exe

pid	process
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
1592	chrome.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
3772	7646ca2722.exe
5672	u1f0.1.exe
5672	u1f0.1.exe
5672	u1f0.1.exe
5672	u1f0.1.exe
5672	u1f0.1.exe
5672	u1f0.1.exe
5672	u1f0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exeexplorha.exe7646ca2722.exechrome.exe

description	pid	process	target process
PID 1644 wrote to memory of 4308	1644	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe	explorha.exe
PID 1644 wrote to memory of 4308	1644	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe	explorha.exe
PID 1644 wrote to memory of 4308	1644	713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe	explorha.exe
PID 4308 wrote to memory of 4780	4308	explorha.exe	amert.exe
PID 4308 wrote to memory of 4780	4308	explorha.exe	amert.exe
PID 4308 wrote to memory of 4780	4308	explorha.exe	amert.exe
PID 4308 wrote to memory of 3772	4308	explorha.exe	7646ca2722.exe
PID 4308 wrote to memory of 3772	4308	explorha.exe	7646ca2722.exe
PID 4308 wrote to memory of 3772	4308	explorha.exe	7646ca2722.exe
PID 3772 wrote to memory of 1592	3772	7646ca2722.exe	chrome.exe
PID 3772 wrote to memory of 1592	3772	7646ca2722.exe	chrome.exe
PID 1592 wrote to memory of 896	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 896	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4040	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 3168	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 3168	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe
PID 1592 wrote to memory of 4680	1592	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

file300un.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe
"C:\Users\Admin\AppData\Local\Temp\713cd004a6204a5e0ec7753c99ea7c3ba8229396dfced5627dffd8680d58bcc6.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000054001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\1000055001\7646ca2722.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\7646ca2722.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac878ab58,0x7ffac878ab68,0x7ffac878ab78
        5⤵
        
        PID:896
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:2
        5⤵
        
        PID:4040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:8
        5⤵
        
        PID:3168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:8
        5⤵
        
        PID:4680
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:1
        5⤵
        
        PID:1140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:1
        5⤵
        
        PID:4372
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4112 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:1
        5⤵
        
        PID:4704
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:8
        5⤵
        
        PID:4804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:8
        5⤵
        
        PID:2460
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:8
        5⤵
        
        PID:3452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4760 --field-trial-handle=1780,i,6008172154086563742,14939695886924833334,131072 /prefetch:2
        5⤵
        
        PID:5332
- - C:\Users\Admin\AppData\Local\Temp\1000056001\0cff54a004.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\0cff54a004.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2856
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2016
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\777591257247_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1408

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2228
- C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - System policy modification
  PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    - Drops startup file
    PID:3488
  - - C:\Users\Admin\Pictures\mXvTe1U48oJGd9zN2dhSR0YE.exe
      "C:\Users\Admin\Pictures\mXvTe1U48oJGd9zN2dhSR0YE.exe"
      4⤵
      Executes dropped EXE
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\u1f0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1f0.0.exe"
        5⤵
        Executes dropped EXE
        
        PID:4548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1092
        6⤵
        Program crash
        
        PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\u1f0.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1f0.1.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of SendNotifyMessage
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        6⤵
        
        PID:5732
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1600
        5⤵
        Program crash
        
        PID:5760
  - - C:\Users\Admin\Pictures\DzQuBkvbEM6BGCsK9Sntk0ne.exe
      "C:\Users\Admin\Pictures\DzQuBkvbEM6BGCsK9Sntk0ne.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2648
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5200
    - - C:\Users\Admin\Pictures\DzQuBkvbEM6BGCsK9Sntk0ne.exe
        
        "C:\Users\Admin\Pictures\DzQuBkvbEM6BGCsK9Sntk0ne.exe"
        5⤵
        Executes dropped EXE
        
        PID:544
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1988
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5916
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5936
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5068
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6056
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:2584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:5376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:5480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:240
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        7⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        Launches sc.exe
        
        PID:5528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 836
        6⤵
        Program crash
        
        PID:3456
  - - C:\Users\Admin\Pictures\hOweUv2OreQy6EE5XLgDZ7bm.exe
      "C:\Users\Admin\Pictures\hOweUv2OreQy6EE5XLgDZ7bm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3768
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5208
    - - C:\Users\Admin\Pictures\hOweUv2OreQy6EE5XLgDZ7bm.exe
        
        "C:\Users\Admin\Pictures\hOweUv2OreQy6EE5XLgDZ7bm.exe"
        5⤵
        Executes dropped EXE
        
        PID:1476
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5376
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:1844
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:3992
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5844
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 732
        6⤵
        Program crash
        
        PID:5708
  - - C:\Users\Admin\Pictures\UFKR18i8F2F8sCqD8fhES1AS.exe
      "C:\Users\Admin\Pictures\UFKR18i8F2F8sCqD8fhES1AS.exe"
      4⤵
      Modifies firewall policy service
      Windows security bypass
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2824
  - - C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe
      "C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe" --silent --allusers=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      PID:6032
    - - C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe
        
        C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6eb1e1d0,0x6eb1e1dc,0x6eb1e1e8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6088
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\wtd56cyxOffP28QyEpSNMJS9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\wtd56cyxOffP28QyEpSNMJS9.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:772
    - - C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe
        
        "C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6032 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240418154415" --session-guid=ae510d12-49ea-48d3-b9fd-99b445109ea9 --server-tracking-blob="MzYxZWI1MjVkNGZjNzljNDg5MTM4YTAxNWE0YmQzYjI5MTdjMWY3NDBkYjgyNzQyNzNmM2RiYTJhNjIzZTY3ODp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNDU1MDQ3LjE0NzQiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNmM2NGIwODYtZmEzZS00NDJhLTg1OTYtYzI5NThjMjA4MzQ3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C05000000000000
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        
        PID:5504
      - C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe
        
        C:\Users\Admin\Pictures\wtd56cyxOffP28QyEpSNMJS9.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6e19e1d0,0x6e19e1dc,0x6e19e1e8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5624
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181544151\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181544151\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        
        PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181544151\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181544151\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181544151\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404181544151\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x6d6038,0x6d6044,0x6d6050
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:1464
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:5804
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5840
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\777591257247_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6068
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5904

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4548 -ip 4548
1⤵
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1836 -ip 1836
1⤵
PID:5720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k smphost
1⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 544 -ip 544
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1476 -ip 1476
1⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5352

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion