amadey | c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d5e428bc0b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b7e2e405a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b7e2e405a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d5e428bc0b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b7e2e405a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d5e428bc0b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	axplont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	riff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	lgodjadrg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	work.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	riff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	d5e428bc0b.exe

Executes dropped EXE 19 IoCs

pid	Process
1676	explortu.exe
456	explortu.exe
2240	d5e428bc0b.exe
4688	0b7e2e405a.exe
3220	axplont.exe
400	riff.exe
2628	lgodjadrg.exe
4804	work.exe
640	lgors.exe
1884	riff.exe
4596	tor-real.exe
1156	dpru.exe
4960	axplont.exe
3672	explortu.exe
4628	riff.exe
3332	explortu.exe
4660	axplont.exe
4808	dpru.exe
4700	riff.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	0b7e2e405a.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	d5e428bc0b.exe

Loads dropped DLL 10 IoCs

pid	Process
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe
4596	tor-real.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0b7e2e405a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\0b7e2e405a.exe"	explortu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
1676	explortu.exe
456	explortu.exe
2240	d5e428bc0b.exe
4688	0b7e2e405a.exe
3220	axplont.exe
4960	axplont.exe
3672	explortu.exe
3332	explortu.exe
4660	axplont.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 456	1676	explortu.exe	86

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
File created	C:\Windows\Tasks\axplont.job	d5e428bc0b.exe
File created	C:\Windows\Tasks\dpru.job	lgors.exe
File opened for modification	C:\Windows\Tasks\dpru.job	lgors.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1108	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2256	timeout.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
1676	explortu.exe
1676	explortu.exe
456	explortu.exe
456	explortu.exe
2240	d5e428bc0b.exe
2240	d5e428bc0b.exe
4688	0b7e2e405a.exe
4688	0b7e2e405a.exe
3220	axplont.exe
3220	axplont.exe
1884	riff.exe
1884	riff.exe
1884	riff.exe
1884	riff.exe
640	lgors.exe
640	lgors.exe
1884	riff.exe
4960	axplont.exe
4960	axplont.exe
3672	explortu.exe
3672	explortu.exe
4628	riff.exe
4628	riff.exe
3332	explortu.exe
3332	explortu.exe
4660	axplont.exe
4660	axplont.exe
4700	riff.exe
4700	riff.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	riff.exe
Token: SeDebugPrivilege	1884	riff.exe
Token: SeDebugPrivilege	4628	riff.exe
Token: SeDebugPrivilege	4700	riff.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1884	riff.exe
4628	riff.exe
4700	riff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1676	1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe	81
PID 1576 wrote to memory of 1676	1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe	81
PID 1576 wrote to memory of 1676	1576	c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe	81
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 456	1676	explortu.exe	86
PID 1676 wrote to memory of 2240	1676	explortu.exe	88
PID 1676 wrote to memory of 2240	1676	explortu.exe	88
PID 1676 wrote to memory of 2240	1676	explortu.exe	88
PID 1676 wrote to memory of 4688	1676	explortu.exe	91
PID 1676 wrote to memory of 4688	1676	explortu.exe	91
PID 1676 wrote to memory of 4688	1676	explortu.exe	91
PID 2240 wrote to memory of 3220	2240	d5e428bc0b.exe	92
PID 2240 wrote to memory of 3220	2240	d5e428bc0b.exe	92
PID 2240 wrote to memory of 3220	2240	d5e428bc0b.exe	92
PID 3220 wrote to memory of 400	3220	axplont.exe	93
PID 3220 wrote to memory of 400	3220	axplont.exe	93
PID 400 wrote to memory of 636	400	riff.exe	94
PID 400 wrote to memory of 636	400	riff.exe	94
PID 636 wrote to memory of 5040	636	cmd.exe	96
PID 636 wrote to memory of 5040	636	cmd.exe	96
PID 636 wrote to memory of 2256	636	cmd.exe	97
PID 636 wrote to memory of 2256	636	cmd.exe	97
PID 3220 wrote to memory of 2628	3220	axplont.exe	98
PID 3220 wrote to memory of 2628	3220	axplont.exe	98
PID 3220 wrote to memory of 2628	3220	axplont.exe	98
PID 2628 wrote to memory of 3400	2628	lgodjadrg.exe	99
PID 2628 wrote to memory of 3400	2628	lgodjadrg.exe	99
PID 2628 wrote to memory of 3400	2628	lgodjadrg.exe	99
PID 3400 wrote to memory of 4804	3400	cmd.exe	102
PID 3400 wrote to memory of 4804	3400	cmd.exe	102
PID 3400 wrote to memory of 4804	3400	cmd.exe	102
PID 4804 wrote to memory of 640	4804	work.exe	103
PID 4804 wrote to memory of 640	4804	work.exe	103
PID 4804 wrote to memory of 640	4804	work.exe	103
PID 636 wrote to memory of 1108	636	cmd.exe	104
PID 636 wrote to memory of 1108	636	cmd.exe	104
PID 636 wrote to memory of 1884	636	cmd.exe	105
PID 636 wrote to memory of 1884	636	cmd.exe	105
PID 1884 wrote to memory of 4596	1884	riff.exe	106
PID 1884 wrote to memory of 4596	1884	riff.exe	106
PID 1884 wrote to memory of 4596	1884	riff.exe	106
PID 1884 wrote to memory of 5096	1884	riff.exe	108
PID 1884 wrote to memory of 5096	1884	riff.exe	108
PID 5096 wrote to memory of 4356	5096	cmd.exe	110
PID 5096 wrote to memory of 4356	5096	cmd.exe	110
PID 5096 wrote to memory of 3428	5096	cmd.exe	111
PID 5096 wrote to memory of 3428	5096	cmd.exe	111
PID 5096 wrote to memory of 4488	5096	cmd.exe	112
PID 5096 wrote to memory of 4488	5096	cmd.exe	112
PID 1884 wrote to memory of 4164	1884	riff.exe	113
PID 1884 wrote to memory of 4164	1884	riff.exe	113
PID 4164 wrote to memory of 4372	4164	cmd.exe	115
PID 4164 wrote to memory of 4372	4164	cmd.exe	115
PID 4164 wrote to memory of 3964	4164	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	riff.exe

C:\Users\Admin\AppData\Local\Temp\c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe
"C:\Users\Admin\AppData\Local\Temp\c35b5b25d5f84d8306128cc099dd47338d677dc60650c9b7b414283540d566ef.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:456
- - C:\Users\Admin\1000004002\d5e428bc0b.exe
    "C:\Users\Admin\1000004002\d5e428bc0b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\1000053001\riff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000053001\riff.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "riff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000053001\riff.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5040
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2256
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "riff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe" /rl HIGHEST /f
        7⤵
        Creates scheduled task(s)
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
        
        "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        outlook_office_path
        outlook_win_path
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
        
        "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4596
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4356
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:3428
        
        C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        9⤵
        
        PID:4488
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4372
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:3964
        
        C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        9⤵
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe"
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
- - C:\Users\Admin\AppData\Local\Temp\1000005001\0b7e2e405a.exe
    "C:\Users\Admin\AppData\Local\Temp\1000005001\0b7e2e405a.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4688

C:\ProgramData\ouoicoi\dpru.exe
C:\ProgramData\ouoicoi\dpru.exe start2
1⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\ProgramData\ouoicoi\dpru.exe
C:\ProgramData\ouoicoi\dpru.exe start2
1⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

T1082

Virtualization/Sandbox Evasion