Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
290s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05/05/2024, 22:46
Behavioral task
behavioral1
Sample
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
Resource
win10-20240404-en
General
-
Target
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe
-
Size
1.6MB
-
MD5
257b7b6010eabdb818f58f7da1c4a6e2
-
SHA1
f50aad02b8707f39788d775da1f5ef052476f474
-
SHA256
98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e
-
SHA512
418c649620243fa46aa172f44481e2980746764c1c9ccd570b5025923703def5d5798d024ed862dec40d24be47a786df73e7cc2700a4061f2ec4fedc8c54cd09
-
SSDEEP
49152:lq8aMhBNUQYV/0AO95+s1YHPexNOH3yPVVzWX6:lq8JhByZV875vUexNc3yPnd
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
risepro
147.45.47.93:58709
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Test1234
185.215.113.67:26260
Extracted
redline
@CLOUDYTTEAM
185.172.128.33:8970
Extracted
lumma
https://holicisticscrarws.shop/api
https://boredimperissvieos.shop/api
Signatures
-
Detect ZGRat V1 6 IoCs
resource yara_rule behavioral2/memory/5388-333-0x0000000000400000-0x0000000000592000-memory.dmp family_zgrat_v1 behavioral2/files/0x000700000001ac21-338.dat family_zgrat_v1 behavioral2/memory/5552-371-0x00000000008C0000-0x0000000000980000-memory.dmp family_zgrat_v1 behavioral2/memory/5736-1005-0x0000013AC8750000-0x0000013ACC048000-memory.dmp family_zgrat_v1 behavioral2/memory/5736-1008-0x0000013AE6850000-0x0000013AE6960000-memory.dmp family_zgrat_v1 behavioral2/memory/5736-1012-0x0000013ACDEF0000-0x0000013ACDF14000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/files/0x000800000001abe4-140.dat family_redline behavioral2/memory/3624-156-0x0000000000580000-0x00000000005D2000-memory.dmp family_redline behavioral2/files/0x000700000001ac21-338.dat family_redline behavioral2/files/0x000700000001ac20-342.dat family_redline behavioral2/memory/5584-343-0x0000000000560000-0x00000000005B2000-memory.dmp family_redline behavioral2/memory/5552-371-0x00000000008C0000-0x0000000000980000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000001ac33-595.dat family_xmrig behavioral2/files/0x000700000001ac33-595.dat xmrig -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d85e0e52c8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Blocklisted process makes network request 10 IoCs
flow pid Process 123 2508 RegAsm.exe 125 2508 RegAsm.exe 129 2508 RegAsm.exe 134 2508 RegAsm.exe 136 2508 RegAsm.exe 140 2508 RegAsm.exe 8 2508 RegAsm.exe 13 2508 RegAsm.exe 147 5980 rundll32.exe 28 5888 rundll32.exe -
pid Process 5344 powershell.exe 1384 powershell.exe 4664 powershell.exe 5484 powershell.exe 3128 powershell.exe 3608 powershell.exe 5668 powershell.exe 5280 powershell.exe 2832 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5416 netsh.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d85e0e52c8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d85e0e52c8.exe -
Executes dropped EXE 64 IoCs
pid Process 1796 explorta.exe 5072 explorta.exe 840 explorta.exe 3940 amert.exe 304 explorha.exe 3416 d85e0e52c8.exe 3488 swiiiii.exe 3624 jok.exe 1440 6beefcba37.exe 4912 swiiii.exe 4104 file300un.exe 2280 gold.exe 5328 alexxxxxxxx.exe 5552 trf.exe 5584 keks.exe 5124 install.exe 5744 GameService.exe 6044 GameService.exe 5128 NewB.exe 2876 GameService.exe 6028 GameService.exe 6020 GameService.exe 5200 GameSyncLink.exe 4972 GameService.exe 5752 ISetup8.exe 6112 GameService.exe 1324 GameService.exe 5248 GameService.exe 5180 GameService.exe 1532 PiercingNetLink.exe 5740 GameService.exe 5940 GameService.exe 4560 GameService.exe 5784 GameService.exe 5944 GameSyncLinks.exe 5148 GameSyncLink.exe 2468 PiercingNetLink.exe 2892 toolspub1.exe 5196 GameSyncLinks.exe 5740 4767d2e713f2021e8fe856e3ea638b58.exe 2944 GameSyncLink.exe 5072 PiercingNetLink.exe 1576 GameSyncLinks.exe 1460 GameSyncLink.exe 2724 PiercingNetLink.exe 3900 GameSyncLinks.exe 428 explorha.exe 776 explorta.exe 2160 NewB.exe 1292 GameSyncLink.exe 5228 PiercingNetLink.exe 5796 GameSyncLinks.exe 4344 u4fs.0.exe 2720 u4fs.1.exe 5624 4767d2e713f2021e8fe856e3ea638b58.exe 2088 GameSyncLink.exe 2284 PiercingNetLink.exe 3348 GameSyncLinks.exe 5164 explorha.exe 3012 explorta.exe 2032 NewB.exe 624 csrss.exe 5740 GameSyncLink.exe 4056 PiercingNetLink.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine explorta.exe Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine amert.exe -
Loads dropped DLL 5 IoCs
pid Process 5960 rundll32.exe 5980 rundll32.exe 5888 rundll32.exe 4344 u4fs.0.exe 4344 u4fs.0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2316-0-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-3-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-2-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-1-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-4-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-6-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-5-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/2316-7-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/files/0x000700000001ac0f-13.dat themida behavioral2/memory/1796-18-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/2316-17-0x00000000008C0000-0x0000000000DF8000-memory.dmp themida behavioral2/memory/1796-20-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-25-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-23-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-22-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-24-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-19-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-21-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-27-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-29-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-33-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-34-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-31-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-32-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-30-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-28-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/5072-36-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-39-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/840-43-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/1796-72-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/files/0x000800000001aba7-101.dat themida behavioral2/memory/3416-109-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-110-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-113-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-111-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-115-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-117-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-116-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-114-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-112-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/3416-634-0x0000000000A30000-0x00000000010B0000-memory.dmp themida behavioral2/memory/776-639-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/776-650-0x0000000001250000-0x0000000001788000-memory.dmp themida behavioral2/memory/3012-1050-0x0000000001250000-0x0000000001788000-memory.dmp themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 4767d2e713f2021e8fe856e3ea638b58.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\d85e0e52c8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000020001\\d85e0e52c8.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\6beefcba37.exe = "C:\\Users\\Admin\\1000021002\\6beefcba37.exe" explorta.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d85e0e52c8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorta.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000800000001abdb-149.dat autoit_exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 840 explorta.exe 3940 amert.exe 304 explorha.exe 428 explorha.exe 5164 explorha.exe 5900 explorha.exe 3932 explorha.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1796 set thread context of 840 1796 explorta.exe 75 PID 3488 set thread context of 5056 3488 swiiiii.exe 81 PID 4912 set thread context of 4624 4912 swiiii.exe 100 PID 2280 set thread context of 2508 2280 gold.exe 144 PID 4104 set thread context of 748 4104 file300un.exe 111 PID 5328 set thread context of 5388 5328 alexxxxxxxx.exe 116 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 4767d2e713f2021e8fe856e3ea638b58.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File created C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe install.exe File created C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installc.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installm.bat install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameService.exe install.exe File created C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe install.exe File opened for modification C:\Program Files (x86)\GameSyncLink\installg.bat install.exe File created C:\Program Files (x86)\GameSyncLink\installm.bat install.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\explorta.job 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe File created C:\Windows\Tasks\explorha.job amert.exe File opened for modification C:\Windows\rss 4767d2e713f2021e8fe856e3ea638b58.exe File created C:\Windows\rss\csrss.exe 4767d2e713f2021e8fe856e3ea638b58.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 828 sc.exe 6016 sc.exe 3184 sc.exe 5684 sc.exe 5348 sc.exe 6116 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2352 3488 WerFault.exe 79 5404 5328 WerFault.exe 113 1440 2892 WerFault.exe 171 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4fs.1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4fs.1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI u4fs.1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 u4fs.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString u4fs.0.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4224 schtasks.exe 6112 schtasks.exe 5576 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 4767d2e713f2021e8fe856e3ea638b58.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" 4767d2e713f2021e8fe856e3ea638b58.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 jok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 jok.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 840 explorta.exe 840 explorta.exe 3940 amert.exe 3940 amert.exe 304 explorha.exe 304 explorha.exe 3572 chrome.exe 3572 chrome.exe 2832 powershell.exe 2832 powershell.exe 2832 powershell.exe 2832 powershell.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5980 rundll32.exe 5280 powershell.exe 5280 powershell.exe 5280 powershell.exe 5280 powershell.exe 6020 GameService.exe 6020 GameService.exe 5180 GameService.exe 5180 GameService.exe 5784 GameService.exe 5784 GameService.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 6020 GameService.exe 6020 GameService.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe 3624 jok.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeDebugPrivilege 4104 file300un.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeIncreaseQuotaPrivilege 2832 powershell.exe Token: SeSecurityPrivilege 2832 powershell.exe Token: SeTakeOwnershipPrivilege 2832 powershell.exe Token: SeLoadDriverPrivilege 2832 powershell.exe Token: SeSystemProfilePrivilege 2832 powershell.exe Token: SeSystemtimePrivilege 2832 powershell.exe Token: SeProfSingleProcessPrivilege 2832 powershell.exe Token: SeIncBasePriorityPrivilege 2832 powershell.exe Token: SeCreatePagefilePrivilege 2832 powershell.exe Token: SeBackupPrivilege 2832 powershell.exe Token: SeRestorePrivilege 2832 powershell.exe Token: SeShutdownPrivilege 2832 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe Token: SeSystemEnvironmentPrivilege 2832 powershell.exe Token: SeRemoteShutdownPrivilege 2832 powershell.exe Token: SeUndockPrivilege 2832 powershell.exe Token: SeManageVolumePrivilege 2832 powershell.exe Token: 33 2832 powershell.exe Token: 34 2832 powershell.exe Token: 35 2832 powershell.exe Token: 36 2832 powershell.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeDebugPrivilege 5552 trf.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeDebugPrivilege 5280 powershell.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeShutdownPrivilege 3572 chrome.exe Token: SeCreatePagefilePrivilege 3572 chrome.exe Token: SeDebugPrivilege 3624 jok.exe Token: SeDebugPrivilege 5584 keks.exe Token: SeBackupPrivilege 5552 trf.exe Token: SeSecurityPrivilege 5552 trf.exe Token: SeSecurityPrivilege 5552 trf.exe Token: SeSecurityPrivilege 5552 trf.exe Token: SeSecurityPrivilege 5552 trf.exe Token: SeDebugPrivilege 5388 RegAsm.exe Token: SeDebugPrivilege 5344 powershell.exe Token: SeDebugPrivilege 5740 4767d2e713f2021e8fe856e3ea638b58.exe Token: SeImpersonatePrivilege 5740 4767d2e713f2021e8fe856e3ea638b58.exe Token: SeDebugPrivilege 5736 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 4664 powershell.exe Token: SeDebugPrivilege 5484 powershell.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 1440 6beefcba37.exe 1440 6beefcba37.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 1440 6beefcba37.exe 3572 chrome.exe 1440 6beefcba37.exe 3572 chrome.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe -
Suspicious use of SendNotifyMessage 51 IoCs
pid Process 1440 6beefcba37.exe 1440 6beefcba37.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 3572 chrome.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 1440 6beefcba37.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe 2720 u4fs.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 1796 2316 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 73 PID 2316 wrote to memory of 1796 2316 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 73 PID 2316 wrote to memory of 1796 2316 98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe 73 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 840 1796 explorta.exe 75 PID 1796 wrote to memory of 3940 1796 explorta.exe 76 PID 1796 wrote to memory of 3940 1796 explorta.exe 76 PID 1796 wrote to memory of 3940 1796 explorta.exe 76 PID 3940 wrote to memory of 304 3940 amert.exe 77 PID 3940 wrote to memory of 304 3940 amert.exe 77 PID 3940 wrote to memory of 304 3940 amert.exe 77 PID 1796 wrote to memory of 3416 1796 explorta.exe 78 PID 1796 wrote to memory of 3416 1796 explorta.exe 78 PID 1796 wrote to memory of 3416 1796 explorta.exe 78 PID 304 wrote to memory of 3488 304 explorha.exe 79 PID 304 wrote to memory of 3488 304 explorha.exe 79 PID 304 wrote to memory of 3488 304 explorha.exe 79 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 3488 wrote to memory of 5056 3488 swiiiii.exe 81 PID 304 wrote to memory of 3624 304 explorha.exe 84 PID 304 wrote to memory of 3624 304 explorha.exe 84 PID 304 wrote to memory of 3624 304 explorha.exe 84 PID 1796 wrote to memory of 1440 1796 explorta.exe 201 PID 1796 wrote to memory of 1440 1796 explorta.exe 201 PID 1796 wrote to memory of 1440 1796 explorta.exe 201 PID 1440 wrote to memory of 3572 1440 6beefcba37.exe 86 PID 1440 wrote to memory of 3572 1440 6beefcba37.exe 86 PID 3572 wrote to memory of 4448 3572 chrome.exe 88 PID 3572 wrote to memory of 4448 3572 chrome.exe 88 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 PID 3572 wrote to memory of 2824 3572 chrome.exe 90 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe"C:\Users\Admin\AppData\Local\Temp\98b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\swiiiii.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 8366⤵
- Program crash
PID:2352
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"C:\Users\Admin\AppData\Local\Temp\1000071001\jok.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\1000073001\swiiii.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:4624
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000075001\file300un.exe" -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"6⤵PID:748
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000079001\gold.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Blocklisted process makes network request
PID:2508
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\1000080001\alexxxxxxxx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5328 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5368
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:5376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388 -
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5552
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5584
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"7⤵PID:5736
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵PID:2820
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5328 -s 5206⤵
- Program crash
PID:5404
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
PID:5960 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5980 -
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵PID:6000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\735606991074_Desktop.zip' -CompressionLevel Optimal7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5280
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"C:\Users\Admin\AppData\Local\Temp\1000081001\install.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "6⤵PID:5324
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClient7⤵
- Launches sc.exe
PID:5684
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClient confirm7⤵
- Executes dropped EXE
PID:5744
-
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLink7⤵
- Launches sc.exe
PID:6016
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLink confirm7⤵
- Executes dropped EXE
PID:6044
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"7⤵
- Executes dropped EXE
PID:2876
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLink7⤵
- Executes dropped EXE
PID:6028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "6⤵PID:2508
-
C:\Windows\SysWOW64\sc.exeSc stop GameServerClientC7⤵
- Launches sc.exe
PID:828
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameServerClientC confirm7⤵
- Executes dropped EXE
PID:4972
-
-
C:\Windows\SysWOW64\sc.exeSc delete PiercingNetLink7⤵
- Launches sc.exe
PID:6116
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove PiercingNetLink confirm7⤵
- Executes dropped EXE
PID:6112
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"7⤵
- Executes dropped EXE
PID:1324
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start PiercingNetLink7⤵
- Executes dropped EXE
PID:5248
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "6⤵PID:5812
-
C:\Windows\SysWOW64\sc.exeSc delete GameSyncLinks7⤵
- Launches sc.exe
PID:5348
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService remove GameSyncLinks confirm7⤵
- Executes dropped EXE
PID:5740
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"7⤵
- Executes dropped EXE
PID:5940
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exeGameService start GameSyncLinks7⤵
- Executes dropped EXE
PID:4560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "6⤵PID:5592
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"5⤵
- Executes dropped EXE
PID:5128 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F6⤵
- Creates scheduled task(s)
PID:6112
-
-
C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"6⤵
- Executes dropped EXE
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\u4fs.0.exe"C:\Users\Admin\AppData\Local\Temp\u4fs.0.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\u4fs.1.exe"C:\Users\Admin\AppData\Local\Temp\u4fs.1.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD18⤵
- Suspicious use of AdjustPrivilegeToken
PID:5736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 4927⤵
- Program crash
PID:1440
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5344
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"7⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"8⤵PID:1304
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes9⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:5416
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5484
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3128
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
PID:5576
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f9⤵PID:5760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3608
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5668
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll9⤵PID:4568
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
PID:4224
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"9⤵PID:3988
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵PID:356
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)11⤵
- Launches sc.exe
PID:3184
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5888
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\d85e0e52c8.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\d85e0e52c8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3416
-
-
C:\Users\Admin\1000021002\6beefcba37.exe"C:\Users\Admin\1000021002\6beefcba37.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9aa8f9758,0x7ff9aa8f9768,0x7ff9aa8f97785⤵PID:4448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:25⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:85⤵PID:656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:85⤵PID:2996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2900 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:15⤵PID:200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:15⤵PID:884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:15⤵PID:504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:85⤵PID:4904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:85⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1724,i,10145486206899444686,8369535682901171676,131072 /prefetch:85⤵PID:2268
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5072
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3184
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6020 -
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:5200
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5280
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:5148
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:2944
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:1460
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:1292
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5584
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:2088
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵
- Executes dropped EXE
PID:5740
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"2⤵PID:5028
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5180 -
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:1532
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:2468
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:5072
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:2724
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:5228
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵
- Executes dropped EXE
PID:4056
-
-
C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"2⤵PID:5616
-
-
C:\Program Files (x86)\GameSyncLink\GameService.exe"C:\Program Files (x86)\GameSyncLink\GameService.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5784 -
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:5944
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:5196
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:1576
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4912
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:3900
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:5796
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵
- Executes dropped EXE
PID:3348
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵PID:4144
-
-
C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"2⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:428
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:776
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵
- Executes dropped EXE
PID:2160
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5164
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3012
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵
- Executes dropped EXE
PID:2032
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5900
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4996
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵PID:224
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
PID:164
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3932
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1556
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵PID:804
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5d9ec6f3a3b2ac7cd5eef07bd86e3efbc
SHA1e1908caab6f938404af85a7df0f80f877a4d9ee6
SHA256472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c
SHA5121b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4
-
Filesize
2.5MB
MD5e6943a08bb91fc3086394c7314be367d
SHA1451d2e171f906fa6c43f8b901cd41b0283d1fa40
SHA256aafdcfe5386452f4924cfcc23f2cf7eccf3f868947ad7291a77b2eca2af0c873
SHA512505d3c76988882602f06398e747c4e496ecad9df1b7959069b87c8111c4d9118484f4d6baef5f671466a184c8caec362d635da210fa0987ccb746cbeea218d2a
-
Filesize
6.2MB
MD51bacbebf6b237c75dbe5610d2d9e1812
SHA13ca5768a9cf04a2c8e157d91d4a1b118668f5cf1
SHA256c3747b167c70fd52b16fb93a4f815e7a4ee27cf67d2c7d55ea9d1edc7969c67d
SHA512f6438eced6915890d5d15d853c3ad6856de949b7354dcea97b1cf40d0c8aed767c8e45730e64ab0368f3606da5e95fd1d4db9cc21e613d517f37ddebbd0fa1fe
-
Filesize
13.2MB
MD572b396a9053dff4d804e07ee1597d5e3
SHA15ec4fefa66771613433c17c11545c6161e1552d5
SHA256d0b206f0f47a9f8593b6434dc27dadde8480a902e878882fa8c73fc7fe01b11d
SHA512ad96c9ca2feae7af7fcf01a843d5aa6cbdde0520d68dedff44554a17639c6c66b2301d73daf272708cb76c22eae2d5c89db23af45105c4f0e35f4787f98e192b
-
Filesize
284B
MD55dee3cbf941c5dbe36b54690b2a3c240
SHA182b9f1ad3ca523f3794e052f7e67ecdcd1ae87e1
SHA25698370b86626b8fd7a7cac96693348045b081326c49e2421113f49a5ea3588edb
SHA5129ee431d485e2f09268a22b287b0960859d2f22db8c7e61309a042999c436b3de74f5d75837b739e01122a796ad65bc6468d009ec6ddf4962f4ff288155410556
-
Filesize
218B
MD594b87b86dc338b8f0c4e5869496a8a35
SHA12584e6496d048068f61ac72f5c08b54ad08627c3
SHA2562928d8e9a41f39d3802cfd2900d8edeb107666baa942d9c0ffbfd0234b5e5bfc
SHA512b67eb73fe51d4dba990789f1e0123e902dac6d26569851c3d51ca0a575221ce317f973999d962669016017d8f81a01f11bd977609e66bb1b244334bce2db5d5d
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.1MB
MD5eb9d9984da999e896730c644df24b147
SHA10f10fa621aaedd8d30fd6bc9a95bc74a5bf20f68
SHA256634a436f42cac1098bf608da65abe493f0b72f36d63827decc5254e9a6f44aea
SHA51286dc1affbc8a0efd1b5e4597747dc5426673c12222e5e06337aec92f070200b51fd49463adc21a3209d625df6669563efa232a4bbd12f044c380b6fdf1c3a261
-
Filesize
705B
MD599915efe984427aeb04ec29d931ce865
SHA1e6cc11aceca664f46bdc5caf0120a3465979b2c8
SHA256555d5346b8cd7877aa83f2ed08d9d3c862f65e8312595a59b51030d044fa9de7
SHA51238918369dd872d283ca45efd946c8a7aa8a10aef8737f82ad9371c6f21249b9dd2d20fd3ad1095f7e898028dddccff280a3e1336b414a75f86932bea6dc612fa
-
Filesize
6KB
MD5d88ef195bd5d2777373cb4872dbfa375
SHA17129ee3dca9706258b813d1eb6d8ab25d5190c95
SHA256f65b9c9d31e9e438148c909f079a164fe74295f540b7b78753f2a1e00dae964c
SHA51208825fea45f6a0f99dec1fad57dfc328bb7e02e66ab12cc6d52b346b6637ce87fa92df7a7ab5cf1249e09a08c21d3036de6d6080d5ac5ee4827caaf4933d7a15
-
Filesize
272KB
MD5d662e1db511329e707ad7e6be3c162b6
SHA1a73d63048e2acd501c9aac5077f8cea804ce4cbc
SHA256855f7bea3b31e5da26eb4ff63508109c8cef646df0e7698b02abb03de1c6704a
SHA512f0f6ad3b931b3f21853cb5f202f5af65e759b1aa7415f1b000363e732a430bcbd35c16b2a0690dbc98264880f5ee2516d8f5cbf354456a317737ebdc1dc5ba83
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD58e41a8e6fdfaa33455ac694a5d1edd5a
SHA1b57458638abad344ca97117581813174899aac67
SHA2563427b10b7dc8283cad24aafe7589dcfb562fb056a54bfeddfeb5c5a5e3634704
SHA512841f4741d3f9a7e7913f299c0e7501c0f1a6d880bf32203071bc7d7639f404365643ef70e9bfa25a2f99e29d4de2eec3a902afa2a2b2875b2b5e2bc7c858a096
-
Filesize
1.8MB
MD5e30a7d55336c5da8caa04caff1ce114e
SHA1e1ee65f973cb132b1609f2c39eace8e6fae85051
SHA25632fa22b59bf2ce238b5f70a17ec19ecac7b03a283c628d1b684c7175394180e8
SHA51210a746583f4cffa7b1008f9e40f2101bd9183dea124c2f9176e6a8a6660fe20c637b727e3bc2d138343359869b464a6e62b3f47a7213a02c80282b38b202eafc
-
Filesize
2.1MB
MD58a11f3f7f1d24eb64175036a7c85654c
SHA140f198442835de440c378effe8f023cdf0d45e30
SHA256d14edb85b599d38a15b2a266526803e5ebf80ab0ddc68e9ae80ea97ae9a85371
SHA512a4a934f4f9229a4aa9dda50452af1bdb1e12f60ed310d77c991bcdcf9970b4e9dfbe39f00e2258e12021dda6f4b71712d475aba67d5ea5315fc12af5bfc91c66
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
304KB
MD58510bcf5bc264c70180abe78298e4d5b
SHA12c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA5125ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d
-
Filesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
Filesize
410KB
MD5b76b8463d2167fa7f1feb1d562fe18ac
SHA19870f08014840f890ef57200a87775d5d199cb5f
SHA25615e4e2d3998c5c604f37df003c4d15726eecf9bbee2a63ab33ac6a0cc0289126
SHA512c137dcebc7ea2da5a90898c73ddbf54370d168d7655acffa4cae62586b53e7064871d10b39af363b664529bb39fb60ae895ad61f2ed766f7390a874dbcf01361
-
Filesize
564KB
MD5f15a9cfa3726845017a7f91abe0a14f7
SHA15540ae40231fe4bf97e59540033b679dda22f134
SHA2562dec75328413d4c278c119db42920fb183a88a5398d56ecc80c8cc74fba13071
SHA5121c2af9608736ad6a02d093f769fe5ec5a06cb395a639e021d4ee3f6c46cebc8c101e7db1064984f801ad3bee65d81b95fe6e2e60c0ec949bb172ba9c455b9869
-
Filesize
2.7MB
MD531841361be1f3dc6c2ce7756b490bf0f
SHA1ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA51253d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019
-
Filesize
4.2MB
MD50f52e5e68fe33694d488bfe7a1a71529
SHA111d7005bd72cb3fd46f24917bf3fc5f3203f361f
SHA256efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8
SHA512238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
416KB
MD57b2875cb05e2096cdff530aa2b6fc6fc
SHA13db46544f57870426eaee8aa07bdd1e605c54b29
SHA256b97edba2e0e81b4cc7d99a6776f80d50ce46952680c71b06428f6a3206c366f7
SHA5120e0208f81195b6e5c3c01e2bed1cf38fb9221b0c86190da4e77763880da21d1b5f81c142dfcf27ee6ba8d7ff3383d1417d466a28c5bdc2f13a0dd498f4928441
-
Filesize
245KB
MD5eab8a9b818ef4e23bd92d7420ee33b77
SHA1f4751ca6ff4d24c3bfada9ad043835a27f04d2f5
SHA256130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75
SHA512ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f
-
Filesize
4.2MB
MD5545627de023f52af8996a5cc7f503cac
SHA1bc8e326cf8c7ccbf48f116569bb60722019caade
SHA256f599fb4c2d32ce75f4ba504633e847b80fa294433adda975d1e752c3f9b6db46
SHA5126e1d9223428321c7ac73e90edde1f22a355f4476a15f3dcfc9ae1c6700a19b694c3582dece44c54b0e7f60c3a1811003e9899c68ef2dabb0b54ae742b98ef87f
-
Filesize
1.6MB
MD5257b7b6010eabdb818f58f7da1c4a6e2
SHA1f50aad02b8707f39788d775da1f5ef052476f474
SHA25698b8a986c223f2cb071b41bdb24d0e577e1e34a0111ce7ed8d12f1d7885ee78e
SHA512418c649620243fa46aa172f44481e2980746764c1c9ccd570b5025923703def5d5798d024ed862dec40d24be47a786df73e7cc2700a4061f2ec4fedc8c54cd09
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
304KB
MD50c582da789c91878ab2f1b12d7461496
SHA1238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a
-
Filesize
750KB
MD520ae0bb07ba77cb3748aa63b6eb51afb
SHA187c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2
-
Filesize
2KB
MD5bc66475ee3b9ba37ec6828944dadd734
SHA19b82600ed9625cd85c114473a66b2160aea60b0a
SHA2564c14b7589cf62d4a93c2e2e3f6b74c3b2424973df96e12dfbfb988cc6d29d409
SHA512e45e908918f2c08cc2a1fe85f268c858a6bfa082c792ce893ef649aeffe7d570b791236f70f6f9e1ac2388173a6e5b76fe53a340685d0f1880bb2f28a440cbdf