amadey | 624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16

Processes:

file300un.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0"	file300un.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorta.exechrosha.exe624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exeexplorta.exe864cb83ee9.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	864cb83ee9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

35 448 rundll32.exe
47 1572 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1016 netsh.exe
4744 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
35	448	rundll32.exe
47	1572	rundll32.exe

pid	process
1016	netsh.exe
4744	netsh.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorta.exe864cb83ee9.exeamert.exeexplorta.exechrosha.exe624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	864cb83ee9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	864cb83ee9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe

Executes dropped EXE 22 IoCs

Processes:

explorta.exe864cb83ee9.exeamert.exeexplorta.exechrosha.exeswiiiii.exec163c56343.exealexxxxxxxx.exekeks.exetrf.exegold.exeNewB.exejok.exeswiiii.exefile300un.exep9BdjhNJdduczHC1IocKZGJt.exeJnNUOEmkeQ6PEGVuauqlhTZu.exea551lPf8X6uJRAt2fQLcnLny.exeu4q0.0.exerun.exeJnNUOEmkeQ6PEGVuauqlhTZu.exea551lPf8X6uJRAt2fQLcnLny.exe

pid	process
1816	explorta.exe
2500	864cb83ee9.exe
1540	amert.exe
4680	explorta.exe
3672	chrosha.exe
3236	swiiiii.exe
2448	c163c56343.exe
2428	alexxxxxxxx.exe
1944	keks.exe
5008	trf.exe
4960	gold.exe
3508	NewB.exe
5348	jok.exe
5700	swiiii.exe
5296	file300un.exe
6120	p9BdjhNJdduczHC1IocKZGJt.exe
5276	JnNUOEmkeQ6PEGVuauqlhTZu.exe
5340	a551lPf8X6uJRAt2fQLcnLny.exe
5756	u4q0.0.exe
4288	run.exe
5868	JnNUOEmkeQ6PEGVuauqlhTZu.exe
1248	a551lPf8X6uJRAt2fQLcnLny.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorta.exechrosha.exe624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exeexplorta.exe864cb83ee9.exeamert.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	864cb83ee9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine	amert.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerun.exe

pid process

4632 rundll32.exe
448 rundll32.exe
1572 rundll32.exe
4288 run.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4632	rundll32.exe
448	rundll32.exe
1572	rundll32.exe
4288	run.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\hw5EAE0IimByqykkS4BmQtnH.exe	themida

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

file300un.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0"	file300un.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\864cb83ee9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000009001\\864cb83ee9.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\c163c56343.exe = "C:\\Users\\Admin\\1000013002\\c163c56343.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

file300un.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

58 pastebin.com
61 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

103 ipinfo.io
105 ipinfo.io
100 api.myip.com
102 api.myip.com

flow	ioc
58	pastebin.com
61	pastebin.com

flow	ioc
103	ipinfo.io
105	ipinfo.io
100	api.myip.com
102	api.myip.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\c163c56343.exe	autoit_exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exeexplorta.exe864cb83ee9.exeamert.exeexplorta.exechrosha.exe

pid	process
4920	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
1816	explorta.exe
2500	864cb83ee9.exe
1540	amert.exe
4680	explorta.exe
3672	chrosha.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exerun.exe

description	pid	process	target process
PID 3236 set thread context of 1336	3236	swiiiii.exe	RegAsm.exe
PID 2428 set thread context of 3204	2428	alexxxxxxxx.exe	RegAsm.exe
PID 4960 set thread context of 4992	4960	gold.exe	RegAsm.exe
PID 5700 set thread context of 5812	5700	swiiii.exe	RegAsm.exe
PID 5296 set thread context of 5480	5296	file300un.exe	jsc.exe
PID 4288 set thread context of 5396	4288	run.exe	cmd.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

Processes:

JnNUOEmkeQ6PEGVuauqlhTZu.exea551lPf8X6uJRAt2fQLcnLny.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	JnNUOEmkeQ6PEGVuauqlhTZu.exe
File opened (read-only)	\??\VBoxMiniRdrDN	a551lPf8X6uJRAt2fQLcnLny.exe

Drops file in Windows directory 2 IoCs

Processes:

624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2056 sc.exe
2512 sc.exe
752 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2056	sc.exe
2512	sc.exe
752	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4516	3236	WerFault.exe	swiiiii.exe
1580	2428	WerFault.exe	alexxxxxxxx.exe
1572	4960	WerFault.exe	gold.exe
5660	5756	WerFault.exe	u4q0.0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5168 schtasks.exe
2452 schtasks.exe
3112 schtasks.exe

pid	process
5168	schtasks.exe
2452	schtasks.exe
3112	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

JnNUOEmkeQ6PEGVuauqlhTZu.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	JnNUOEmkeQ6PEGVuauqlhTZu.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3263309122-2820180308-3568046652-1000\{102A144E-C54E-4A33-856B-BB517308E674}	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

keks.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exeexplorta.exe864cb83ee9.exeamert.exeexplorta.exechrosha.exechrome.exerundll32.exepowershell.exekeks.exetrf.exeRegAsm.exepowershell.exejok.exepowershell.exepowershell.exe

pid	process
4920	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
4920	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
1816	explorta.exe
1816	explorta.exe
2500	864cb83ee9.exe
2500	864cb83ee9.exe
1540	amert.exe
1540	amert.exe
4680	explorta.exe
4680	explorta.exe
3672	chrosha.exe
3672	chrosha.exe
2380	chrome.exe
2380	chrome.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
448	rundll32.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe
1944	keks.exe
1944	keks.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5008	trf.exe
5812	RegAsm.exe
5812	RegAsm.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5348	jok.exe
5348	jok.exe
5840	powershell.exe
5840	powershell.exe
2920	powershell.exe
2920	powershell.exe
5840	powershell.exe
2920	powershell.exe
5348	jok.exe
5348	jok.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

run.exe

pid process

4288 run.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2380 chrome.exe
2380 chrome.exe
2380 chrome.exe
2380 chrome.exe

pid	process
4288	run.exe

pid	process
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exetrf.exekeks.exefile300un.exejsc.exepowershell.exejok.exepowershell.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeDebugPrivilege	4108	powershell.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeDebugPrivilege	5008	trf.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeBackupPrivilege	5008	trf.exe
Token: SeSecurityPrivilege	5008	trf.exe
Token: SeSecurityPrivilege	5008	trf.exe
Token: SeSecurityPrivilege	5008	trf.exe
Token: SeSecurityPrivilege	5008	trf.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeDebugPrivilege	1944	keks.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeShutdownPrivilege	2380	chrome.exe
Token: SeCreatePagefilePrivilege	2380	chrome.exe
Token: SeDebugPrivilege	5296	file300un.exe
Token: SeDebugPrivilege	5480	jsc.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeDebugPrivilege	5348	jok.exe
Token: SeDebugPrivilege	5840	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

c163c56343.exechrome.exe

pid	process
2448	c163c56343.exe
2448	c163c56343.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2448	c163c56343.exe
2448	c163c56343.exe
2380	chrome.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

c163c56343.exechrome.exe

pid	process
2448	c163c56343.exe
2448	c163c56343.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2380	chrome.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe
2448	c163c56343.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

run.exe

pid process

4288 run.exe
4288 run.exe

pid	process
4288	run.exe
4288	run.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exeexplorta.exechrosha.exeswiiiii.exec163c56343.exechrome.exe

description	pid	process	target process
PID 4920 wrote to memory of 1816	4920	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe	explorta.exe
PID 4920 wrote to memory of 1816	4920	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe	explorta.exe
PID 4920 wrote to memory of 1816	4920	624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe	explorta.exe
PID 1816 wrote to memory of 2500	1816	explorta.exe	864cb83ee9.exe
PID 1816 wrote to memory of 2500	1816	explorta.exe	864cb83ee9.exe
PID 1816 wrote to memory of 2500	1816	explorta.exe	864cb83ee9.exe
PID 1816 wrote to memory of 760	1816	explorta.exe	explorta.exe
PID 1816 wrote to memory of 760	1816	explorta.exe	explorta.exe
PID 1816 wrote to memory of 760	1816	explorta.exe	explorta.exe
PID 1816 wrote to memory of 1540	1816	explorta.exe	amert.exe
PID 1816 wrote to memory of 1540	1816	explorta.exe	amert.exe
PID 1816 wrote to memory of 1540	1816	explorta.exe	amert.exe
PID 3672 wrote to memory of 3236	3672	chrosha.exe	swiiiii.exe
PID 3672 wrote to memory of 3236	3672	chrosha.exe	swiiiii.exe
PID 3672 wrote to memory of 3236	3672	chrosha.exe	swiiiii.exe
PID 3236 wrote to memory of 4912	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 4912	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 4912	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 3236 wrote to memory of 1336	3236	swiiiii.exe	RegAsm.exe
PID 1816 wrote to memory of 2448	1816	explorta.exe	c163c56343.exe
PID 1816 wrote to memory of 2448	1816	explorta.exe	c163c56343.exe
PID 1816 wrote to memory of 2448	1816	explorta.exe	c163c56343.exe
PID 2448 wrote to memory of 2380	2448	c163c56343.exe	chrome.exe
PID 2448 wrote to memory of 2380	2448	c163c56343.exe	chrome.exe
PID 2380 wrote to memory of 2844	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 2844	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe
PID 2380 wrote to memory of 4260	2380	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

file300un.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe
"C:\Users\Admin\AppData\Local\Temp\624b8952fbb250d0a8d780caa97958014b47035f61bf1c1c8acd998a54c71d16.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\1000009001\864cb83ee9.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\864cb83ee9.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\1000013002\c163c56343.exe
"C:\Users\Admin\1000013002\c163c56343.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe2e56ab58,0x7ffe2e56ab68,0x7ffe2e56ab78
5⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:2
5⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2996 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:1
5⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:1
5⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4188 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:1
5⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3376 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:1
5⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4312 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
- Modifies registry class
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1816,i,5385030876061061689,11581039224751544557,131072 /prefetch:8
5⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4680

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 896
3⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
2⤵
- Loads dropped DLL
PID:4632

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:448

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\263309122282_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3204

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:3112

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 368
3⤵
- Program crash
PID:1580

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 388
3⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1572

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
2⤵
- Executes dropped EXE
PID:3508

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
3⤵
- Creates scheduled task(s)
PID:5168

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5812

C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:5296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Users\Admin\Pictures\p9BdjhNJdduczHC1IocKZGJt.exe
"C:\Users\Admin\Pictures\p9BdjhNJdduczHC1IocKZGJt.exe"
4⤵
- Executes dropped EXE
PID:6120

C:\Users\Admin\AppData\Local\Temp\u4q0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4q0.0.exe"
5⤵
- Executes dropped EXE
PID:5756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 1096
6⤵
- Program crash
PID:5660

C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u4q0.2\run.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
6⤵
PID:5396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
7⤵
PID:5460

C:\Users\Admin\Pictures\JnNUOEmkeQ6PEGVuauqlhTZu.exe
"C:\Users\Admin\Pictures\JnNUOEmkeQ6PEGVuauqlhTZu.exe"
4⤵
- Executes dropped EXE
PID:5276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Users\Admin\Pictures\JnNUOEmkeQ6PEGVuauqlhTZu.exe
"C:\Users\Admin\Pictures\JnNUOEmkeQ6PEGVuauqlhTZu.exe"
5⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:5868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:6112

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:1016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Modifies data under HKEY_USERS
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:1640

C:\Users\Admin\Pictures\a551lPf8X6uJRAt2fQLcnLny.exe
"C:\Users\Admin\Pictures\a551lPf8X6uJRAt2fQLcnLny.exe"
4⤵
- Executes dropped EXE
PID:5340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Users\Admin\Pictures\a551lPf8X6uJRAt2fQLcnLny.exe
"C:\Users\Admin\Pictures\a551lPf8X6uJRAt2fQLcnLny.exe"
5⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:1248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5040

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:4744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Modifies data under HKEY_USERS
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:4748

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:5840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:3612

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:4756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:5340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:1352

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:3112

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:3204

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
PID:752

C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe
"C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe" --silent --allusers=0
4⤵
PID:6028

C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe
C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6b40e1d0,0x6b40e1dc,0x6b40e1e8
5⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BMgqZcrpvsNSqSSo9WlUKOoR.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BMgqZcrpvsNSqSSo9WlUKOoR.exe" --version
5⤵
PID:2376

C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe
"C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6028 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240424144314" --session-guid=3e5d6853-54ec-4651-98ab-3964668723ca --server-tracking-blob="NWU5YTBlZDAxZWRiODBkYjA4MjkxYjM4OGUzZWQyYWE3MDg1Y2Q3MDdjM2Q5MzFlZjU0NzA5Mzc0MzAzM2FkYjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzOTY5NzU4LjcwMjEiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMWJmYWFjMzktZjBjZi00Y2Q3LTgwMjEtYTFlZTIwOWFiZTM4In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C04000000000000
5⤵
PID:5920

C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe
C:\Users\Admin\Pictures\BMgqZcrpvsNSqSSo9WlUKOoR.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x6aa8e1d0,0x6aa8e1dc,0x6aa8e1e8
6⤵
PID:5988

C:\Users\Admin\Pictures\hw5EAE0IimByqykkS4BmQtnH.exe
"C:\Users\Admin\Pictures\hw5EAE0IimByqykkS4BmQtnH.exe"
4⤵
PID:5864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
2⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
3⤵
PID:3788

C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClient
4⤵
- Launches sc.exe
PID:2056

C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClient confirm
4⤵
PID:2484

C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
4⤵
PID:5888

C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClient
4⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
3⤵
PID:5468

C:\Windows\SysWOW64\sc.exe
Sc delete GameServerClientC
4⤵
- Launches sc.exe
PID:2512

C:\Program Files (x86)\GameServerClient\GameService.exe
GameService remove GameServerClientC confirm
4⤵
PID:2108

C:\Program Files (x86)\GameServerClient\GameService.exe
GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
4⤵
PID:6104

C:\Program Files (x86)\GameServerClient\GameService.exe
GameService start GameServerClientC
4⤵
PID:5548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
3⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3236 -ip 3236
1⤵
PID:3444

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2428 -ip 2428
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4960 -ip 4960
1⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6044

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5756 -ip 5756
1⤵
PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5820

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
PID:1240

C:\Program Files (x86)\GameServerClient\GameServerClient.exe
"C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
2⤵
PID:3956

C:\Windows\Temp\690295.exe
"C:\Windows\Temp\690295.exe" --list-devices
3⤵
PID:3204

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
PID:5572

C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
"C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
2⤵
PID:3860

C:\Windows\Temp\540192.exe
"C:\Windows\Temp\540192.exe" --coin BTC -m ADDRESSES -t 0 --range 27be82f5c60000000:27be82f5c80000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
3⤵
PID:5504

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

Virtualization/Sandbox Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery