amadey | 2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9

Processes:

file300un.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0"	file300un.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorta.exe2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exeexplorta.exeexplorta.exe15006b6c76.exeamert.exechrosha.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	15006b6c76.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

120 5572 rundll32.exe
180 5284 rundll32.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

6564 netsh.exe
6952 netsh.exe
1736 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
120	5572	rundll32.exe
180	5284	rundll32.exe

pid	process
6564	netsh.exe
6952	netsh.exe
1736	netsh.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorta.exeexplorta.exeamert.exechrosha.exe2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exeexplorta.exe15006b6c76.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	15006b6c76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	15006b6c76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

explorta.exebcaee4e0a5.exechrosha.exeRegAsm.exeNewB.exeISetup8.exefile300un.exe2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	explorta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	bcaee4e0a5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	NewB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	ISetup8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	file300un.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe

Executes dropped EXE 19 IoCs

Processes:

explorta.exeexplorta.exe15006b6c76.exeamert.exebcaee4e0a5.exechrosha.exeexplorta.exeswiiiii.exealexxxxxxxx.exetrf.exekeks.exegold.exeNewB.exeISetup8.exejok.exeu328.0.exeswiiii.exetoolspub1.exefile300un.exe

pid	process
1660	explorta.exe
1872	explorta.exe
3136	15006b6c76.exe
4652	amert.exe
2224	bcaee4e0a5.exe
932	chrosha.exe
1216	explorta.exe
3052	swiiiii.exe
2740	alexxxxxxxx.exe
3984	trf.exe
2740	keks.exe
6016	gold.exe
2188	NewB.exe
3968	ISetup8.exe
5696	jok.exe
6140	u328.0.exe
6020	swiiii.exe
3376	toolspub1.exe
2296	file300un.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

explorta.exeexplorta.exe15006b6c76.exeamert.exechrosha.exeexplorta.exe2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	15006b6c76.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	chrosha.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorta.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

5548 rundll32.exe
5572 rundll32.exe
5284 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5548	rundll32.exe
5572	rundll32.exe
5284	rundll32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\cu6TmelbYoDkfNmCAOeUXwJm.exe	themida

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

file300un.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	file300un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe = "0"	file300un.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15006b6c76.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000009001\\15006b6c76.exe"	explorta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bcaee4e0a5.exe = "C:\\Users\\Admin\\1000013002\\bcaee4e0a5.exe"	explorta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

file300un.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file300un.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

186 pastebin.com
184 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

221 api.myip.com
222 api.myip.com
225 ipinfo.io
226 ipinfo.io

flow	ioc
186	pastebin.com
184	pastebin.com

flow	ioc
221	api.myip.com
222	api.myip.com
225	ipinfo.io
226	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\1000013002\bcaee4e0a5.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exeexplorta.exeexplorta.exe15006b6c76.exeamert.exechrosha.exeexplorta.exe

pid	process
3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
1660	explorta.exe
1872	explorta.exe
3136	15006b6c76.exe
4652	amert.exe
932	chrosha.exe
1216	explorta.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

swiiiii.exealexxxxxxxx.exegold.exeswiiii.exefile300un.exe

description	pid	process	target process
PID 3052 set thread context of 4352	3052	swiiiii.exe	RegAsm.exe
PID 2740 set thread context of 3864	2740	alexxxxxxxx.exe	RegAsm.exe
PID 6016 set thread context of 6048	6016	gold.exe	RegAsm.exe
PID 6020 set thread context of 3120	6020	swiiii.exe	RegAsm.exe
PID 2296 set thread context of 2652	2296	file300un.exe	CasPol.exe

Drops file in Windows directory 2 IoCs

Processes:

2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exeamert.exe

description	ioc	process
File created	C:\Windows\Tasks\explorta.job	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

5600 sc.exe
7092 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5600	sc.exe
7092	sc.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
392	3052	WerFault.exe	swiiiii.exe
3984	2740	WerFault.exe	alexxxxxxxx.exe
6108	6016	WerFault.exe	gold.exe
1536	3376	WerFault.exe	toolspub1.exe
2436	6140	WerFault.exe	u328.0.exe
2656	3968	WerFault.exe	ISetup8.exe
6448	6032	WerFault.exe	Bt1qccrJs0rqr5teIcchMXMQ.exe
5488	5724	WerFault.exe	u4nk.0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2640 schtasks.exe
6032 schtasks.exe

pid	process
2640	schtasks.exe
6032	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584524254487324"	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

keks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exeexplorta.exeexplorta.exe15006b6c76.exeamert.exechrome.exechrosha.exeexplorta.exerundll32.exepowershell.exekeks.exetrf.exepowershell.exe

pid	process
3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
1660	explorta.exe
1660	explorta.exe
1872	explorta.exe
1872	explorta.exe
3136	15006b6c76.exe
3136	15006b6c76.exe
4652	amert.exe
4652	amert.exe
4880	chrome.exe
4880	chrome.exe
932	chrosha.exe
932	chrosha.exe
1216	explorta.exe
1216	explorta.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5572	rundll32.exe
5688	powershell.exe
5688	powershell.exe
5688	powershell.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
2740	keks.exe
3984	trf.exe
3984	trf.exe
5560	powershell.exe
5560	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4880 chrome.exe
4880 chrome.exe
4880 chrome.exe

pid	process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetrf.exe

description	pid	process
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeDebugPrivilege	3984	trf.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exebcaee4e0a5.exechrome.exe

pid	process
3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
4880	chrome.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

bcaee4e0a5.exechrome.exe

pid	process
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe
2224	bcaee4e0a5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exeexplorta.exebcaee4e0a5.exechrome.exe

description	pid	process	target process
PID 3824 wrote to memory of 1660	3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe	explorta.exe
PID 3824 wrote to memory of 1660	3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe	explorta.exe
PID 3824 wrote to memory of 1660	3824	2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe	explorta.exe
PID 1660 wrote to memory of 3136	1660	explorta.exe	15006b6c76.exe
PID 1660 wrote to memory of 3136	1660	explorta.exe	15006b6c76.exe
PID 1660 wrote to memory of 3136	1660	explorta.exe	15006b6c76.exe
PID 1660 wrote to memory of 1356	1660	explorta.exe	explorta.exe
PID 1660 wrote to memory of 1356	1660	explorta.exe	explorta.exe
PID 1660 wrote to memory of 1356	1660	explorta.exe	explorta.exe
PID 1660 wrote to memory of 4652	1660	explorta.exe	amert.exe
PID 1660 wrote to memory of 4652	1660	explorta.exe	amert.exe
PID 1660 wrote to memory of 4652	1660	explorta.exe	amert.exe
PID 1660 wrote to memory of 2224	1660	explorta.exe	bcaee4e0a5.exe
PID 1660 wrote to memory of 2224	1660	explorta.exe	bcaee4e0a5.exe
PID 1660 wrote to memory of 2224	1660	explorta.exe	bcaee4e0a5.exe
PID 2224 wrote to memory of 4880	2224	bcaee4e0a5.exe	chrome.exe
PID 2224 wrote to memory of 4880	2224	bcaee4e0a5.exe	chrome.exe
PID 4880 wrote to memory of 1968	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 1968	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 364	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 1464	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 1464	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe
PID 4880 wrote to memory of 4916	4880	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

file300un.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file300un.exe

C:\Users\Admin\AppData\Local\Temp\2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe
"C:\Users\Admin\AppData\Local\Temp\2c115f9a9cc582603e99e34e25dfaa39c5425fdcce5bda1833691b58808697a9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
  "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\1000009001\15006b6c76.exe
    "C:\Users\Admin\AppData\Local\Temp\1000009001\15006b6c76.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
    "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
    3⤵
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000012001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4652
- - C:\Users\Admin\1000013002\bcaee4e0a5.exe
    "C:\Users\Admin\1000013002\bcaee4e0a5.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeb648ab58,0x7ffeb648ab68,0x7ffeb648ab78
        5⤵
        
        PID:1968
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:2
        5⤵
        
        PID:364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:1464
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:4916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:1
        5⤵
        
        PID:2692
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:1
        5⤵
        
        PID:2700
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:1
        5⤵
        
        PID:1624
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:1676
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:4300
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:1832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:2224
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:2640
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1976,i,12848539383094791324,13523429156343472096,131072 /prefetch:8
        5⤵
        
        PID:5340

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:932
- C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 888
    3⤵
    - Program crash
    PID:392
- C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    PID:3864
  - - C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3984
  - - C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:6184
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:7156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 352
    3⤵
    - Program crash
    PID:3984
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:5548
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5572
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5688
- C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
  "C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6016 -s 356
    3⤵
    - Program crash
    PID:6108
- C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
  "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2640
- - C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000223001\ISetup8.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3968
  - - C:\Users\Admin\AppData\Local\Temp\u328.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u328.0.exe"
      4⤵
      Executes dropped EXE
      PID:6140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 1016
        5⤵
        Program crash
        
        PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\u328.2\run.exe
      "C:\Users\Admin\AppData\Local\Temp\u328.2\run.exe"
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:5516
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:7056
  - - C:\Users\Admin\AppData\Local\Temp\u328.3.exe
      "C:\Users\Admin\AppData\Local\Temp\u328.3.exe"
      4⤵
      PID:1964
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:1372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 1468
      4⤵
      Program crash
      PID:2656
- - C:\Users\Admin\AppData\Local\Temp\1000224001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000224001\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 356
      4⤵
      Program crash
      PID:1536
- - C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe
    "C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"
    3⤵
    PID:3668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000225001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4636
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:6564
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6336
- C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
  "C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
  2⤵
  - Executes dropped EXE
  PID:5696
- C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3120
- C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System policy modification
  PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000181001\file300un.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:5644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:2652
  - - C:\Users\Admin\Pictures\Bt1qccrJs0rqr5teIcchMXMQ.exe
      "C:\Users\Admin\Pictures\Bt1qccrJs0rqr5teIcchMXMQ.exe"
      4⤵
      PID:6032
    - - C:\Users\Admin\AppData\Local\Temp\u4nk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4nk.0.exe"
        5⤵
        
        PID:5724
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 1012
        6⤵
        Program crash
        
        PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\u4nk.2\run.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4nk.2\run.exe"
        5⤵
        
        PID:4524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        7⤵
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\u4nk.3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4nk.3.exe"
        5⤵
        
        PID:6340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 944
        5⤵
        Program crash
        
        PID:6448
  - - C:\Users\Admin\Pictures\6YoF5Q90JB9lsyXr6h9zXr9Q.exe
      "C:\Users\Admin\Pictures\6YoF5Q90JB9lsyXr6h9zXr9Q.exe"
      4⤵
      PID:4764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2128
    - - C:\Users\Admin\Pictures\6YoF5Q90JB9lsyXr6h9zXr9Q.exe
        
        "C:\Users\Admin\Pictures\6YoF5Q90JB9lsyXr6h9zXr9Q.exe"
        5⤵
        
        PID:2340
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2336
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:6920
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:6952
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6396
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6292
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:6976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:6032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:7136
  - - C:\Users\Admin\Pictures\ytOnC6n0AUDavao0goNr3psj.exe
      "C:\Users\Admin\Pictures\ytOnC6n0AUDavao0goNr3psj.exe"
      4⤵
      PID:700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5832
    - - C:\Users\Admin\Pictures\ytOnC6n0AUDavao0goNr3psj.exe
        
        "C:\Users\Admin\Pictures\ytOnC6n0AUDavao0goNr3psj.exe"
        5⤵
        
        PID:6040
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:6960
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:1736
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6536
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3120
  - - C:\Users\Admin\Pictures\cu6TmelbYoDkfNmCAOeUXwJm.exe
      "C:\Users\Admin\Pictures\cu6TmelbYoDkfNmCAOeUXwJm.exe"
      4⤵
      PID:5324
  - - C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe
      "C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe" --silent --allusers=0
      4⤵
      PID:5648
    - - C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe
        
        C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x6a50e1d0,0x6a50e1dc,0x6a50e1e8
        5⤵
        
        PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\s7RDxfiDXvyeNIpVeHMnIWZg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\s7RDxfiDXvyeNIpVeHMnIWZg.exe" --version
        5⤵
        
        PID:5404
    - - C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe
        
        "C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5648 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240424171448" --session-guid=ec70b162-a7e5-45dc-be85-37aad2e02011 --server-tracking-blob="M2Y2N2U3Mzg5YmU3N2U0Y2QwNjhjZDk0YzYxNWY0M2IzZDk2ZGI4YmYyZWIyNGVjNGE0Y2M1MTQ5ZWZiZWRhOTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzOTc4ODY4LjE5NjIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiNDkyODkxNjItNzdkZi00ODU3LWJlMjYtNTU1YjAzNDQzMTRiIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1804000000000000
        5⤵
        
        PID:876
      - C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe
        
        C:\Users\Admin\Pictures\s7RDxfiDXvyeNIpVeHMnIWZg.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.59 --initial-client-data=0x2a4,0x2a8,0x2ac,0x274,0x2b0,0x69b8e1d0,0x69b8e1dc,0x69b8e1e8
        6⤵
        
        PID:6004
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404241714481\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404241714481\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe"
        5⤵
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404241714481\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404241714481\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404241714481\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404241714481\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0xf86038,0xf86044,0xf86050
        6⤵
        
        PID:6612
  - - C:\Users\Admin\Pictures\OH24jDzy3WS0k1x7AtIds5fi.exe
      "C:\Users\Admin\Pictures\OH24jDzy3WS0k1x7AtIds5fi.exe"
      4⤵
      PID:6516
    - - C:\Users\Admin\AppData\Local\Temp\7zS6D37.tmp\Install.exe
        
        .\Install.exe /RvdidblCuX "385118" /S
        5⤵
        
        PID:5884
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        6⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        9⤵
        
        PID:5308
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:5284
- C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe
  "C:\Users\Admin\AppData\Local\Temp\1000208001\install.exe"
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installg.bat" "
    3⤵
    PID:6072
  - - C:\Windows\SysWOW64\sc.exe
      Sc delete GameServerClient
      4⤵
      Launches sc.exe
      PID:5600
  - - C:\Program Files (x86)\GameServerClient\GameService.exe
      GameService remove GameServerClient confirm
      4⤵
      PID:1932
  - - C:\Program Files (x86)\GameServerClient\GameService.exe
      GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
      4⤵
      PID:5500
  - - C:\Program Files (x86)\GameServerClient\GameService.exe
      GameService start GameServerClient
      4⤵
      PID:716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameServerClient\installc.bat" "
    3⤵
    PID:6756
  - - C:\Windows\SysWOW64\sc.exe
      Sc delete GameServerClientC
      4⤵
      Launches sc.exe
      PID:7092
  - - C:\Program Files (x86)\GameServerClient\GameService.exe
      GameService remove GameServerClientC confirm
      4⤵
      PID:6312
  - - C:\Program Files (x86)\GameServerClient\GameService.exe
      GameService install GameServerClientC "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
      4⤵
      PID:6684
  - - C:\Program Files (x86)\GameServerClient\GameService.exe
      GameService start GameServerClientC
      4⤵
      PID:7012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
    3⤵
    PID:6748

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3052 -ip 3052
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2740 -ip 2740
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6016 -ip 6016
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3376 -ip 3376
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6140 -ip 6140
1⤵
PID:2272

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
PID:1284
- C:\Program Files (x86)\GameServerClient\GameServerClient.exe
  "C:\Program Files (x86)\GameServerClient\GameServerClient.exe"
  2⤵
  PID:3060
- - C:\Windows\Temp\11050.exe
    "C:\Windows\Temp\11050.exe" --list-devices
    3⤵
    PID:5744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3968 -ip 3968
1⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6032 -ip 6032
1⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
1⤵
PID:6376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5724 -ip 5724
1⤵
PID:5612

C:\Program Files (x86)\GameServerClient\GameService.exe
"C:\Program Files (x86)\GameServerClient\GameService.exe"
1⤵
PID:1244
- C:\Program Files (x86)\GameServerClient\GameServerClientC.exe
  "C:\Program Files (x86)\GameServerClient\GameServerClientC.exe"
  2⤵
  PID:7092
- - C:\Windows\Temp\964682.exe
    "C:\Windows\Temp\964682.exe" --coin BTC -m ADDRESSES -t 0 --range 35e1e85d420000000:35e1e85d440000000 -o xxx0.txt -i C:\Windows\Temp\curjob.bin
    3⤵
    PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion