amadey | 445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490

Virtualization/Sandbox Evasion

Processes:

axplong.exeexplortu.exed991ab00ad.exe0f1a3878cf.exeaxplong.exeexplortu.exe445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exeexplortu.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d991ab00ad.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f1a3878cf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1308 powershell.exe
5252 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

services64.exeWindowsAutHost

description ioc process

File created C:\Windows\system32\drivers\etc\hosts services64.exe
File created C:\Windows\system32\drivers\etc\hosts WindowsAutHost
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1308	powershell.exe
5252	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	services64.exe
File created	C:\Windows\system32\drivers\etc\hosts	WindowsAutHost

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exed991ab00ad.exeexplortu.exeaxplong.exeaxplong.exeexplortu.exeaxplong.exe0f1a3878cf.exeexplortu.exewmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d991ab00ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d991ab00ad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f1a3878cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f1a3878cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 16 IoCs

Processes:

explortu.exed991ab00ad.exeaxplong.exe0f1a3878cf.exe6da7ca91e1.exelrthijawd.exeaxplong.exework.exeexplortu.exejergs.exessfqe.exeservices64.exeWindowsAutHostaxplong.exeexplortu.exessfqe.exe

pid	process
2276	explortu.exe
2104	d991ab00ad.exe
3268	axplong.exe
4132	0f1a3878cf.exe
3744	6da7ca91e1.exe
1084	lrthijawd.exe
5024	axplong.exe
560	work.exe
3504	explortu.exe
2604	jergs.exe
4952	ssfqe.exe
1340	services64.exe
1120	WindowsAutHost
6100	axplong.exe
1716	explortu.exe
5732	ssfqe.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

axplong.exed991ab00ad.exeexplortu.exeaxplong.exe0f1a3878cf.exeaxplong.exeexplortu.exe445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exeexplortu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	d991ab00ad.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	0f1a3878cf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
Key opened	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explortu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\0f1a3878cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000012001\\0f1a3878cf.exe"	explortu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000013001\6da7ca91e1.exe	autoit_exe

Drops file in System32 directory 5 IoCs

Processes:

services64.exepowershell.exeWindowsAutHostOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	services64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exeexplortu.exed991ab00ad.exeaxplong.exe0f1a3878cf.exeaxplong.exeexplortu.exeservices64.exeWindowsAutHostaxplong.exeexplortu.exe

pid	process
1068	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
2276	explortu.exe
2104	d991ab00ad.exe
3268	axplong.exe
4132	0f1a3878cf.exe
5024	axplong.exe
3504	explortu.exe
1340	services64.exe
1340	services64.exe
1120	WindowsAutHost
1120	WindowsAutHost
6100	axplong.exe
1716	explortu.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

services64.exeWindowsAutHost

description	pid	process	target process
PID 1340 set thread context of 4188	1340	services64.exe	dialer.exe
PID 1120 set thread context of 5872	1120	WindowsAutHost	dialer.exe
PID 1120 set thread context of 5908	1120	WindowsAutHost	dialer.exe
PID 1120 set thread context of 6000	1120	WindowsAutHost	dialer.exe

Drops file in Windows directory 5 IoCs

Processes:

445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exed991ab00ad.exechrome.exejergs.exe

description	ioc	process
File created	C:\Windows\Tasks\explortu.job	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
File created	C:\Windows\Tasks\axplong.job	d991ab00ad.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Tasks\ssfqe.job	jergs.exe
File opened for modification	C:\Windows\Tasks\ssfqe.job	jergs.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1084	sc.exe
5584	sc.exe
5708	sc.exe
4460	sc.exe
2456	sc.exe
3104	sc.exe
4684	sc.exe
3400	sc.exe
3232	sc.exe
1780	sc.exe
4508	sc.exe
5656	sc.exe
5752	sc.exe
5792	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

wmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 62 IoCs

Processes:

powershell.exeOfficeClickToRun.exechrome.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717535597"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={453AF952-5678-4983-A91B-F7D586F23203}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 04 Jun 2024 21:13:17 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620091264505938"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{B7F19069-4DB6-4EA0-9B42-34D1FDBCB881}	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exeexplortu.exed991ab00ad.exeaxplong.exe0f1a3878cf.exeaxplong.exechrome.exeexplortu.exejergs.exeservices64.exepowershell.exedialer.exe

pid	process
1068	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
1068	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
2276	explortu.exe
2276	explortu.exe
2104	d991ab00ad.exe
2104	d991ab00ad.exe
3268	axplong.exe
3268	axplong.exe
4132	0f1a3878cf.exe
4132	0f1a3878cf.exe
5024	axplong.exe
5024	axplong.exe
2708	chrome.exe
2708	chrome.exe
3504	explortu.exe
3504	explortu.exe
2604	jergs.exe
2604	jergs.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
1340	services64.exe
1340	services64.exe
1340	services64.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe
4188	dialer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2708 chrome.exe
2708 chrome.exe
2708 chrome.exe
2708 chrome.exe

pid	process
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exepowershell.exeservices64.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeWindowsAutHostdialer.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeDebugPrivilege	1340	services64.exe
Token: SeDebugPrivilege	4188	dialer.exe
Token: SeShutdownPrivilege	3876	powercfg.exe
Token: SeCreatePagefilePrivilege	3876	powercfg.exe
Token: SeShutdownPrivilege	2280	powercfg.exe
Token: SeCreatePagefilePrivilege	2280	powercfg.exe
Token: SeShutdownPrivilege	1988	powercfg.exe
Token: SeCreatePagefilePrivilege	1988	powercfg.exe
Token: SeShutdownPrivilege	2796	powercfg.exe
Token: SeCreatePagefilePrivilege	2796	powercfg.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeShutdownPrivilege	2708	chrome.exe
Token: SeCreatePagefilePrivilege	2708	chrome.exe
Token: SeDebugPrivilege	1120	WindowsAutHost
Token: SeDebugPrivilege	5872	dialer.exe
Token: SeShutdownPrivilege	5832	powercfg.exe
Token: SeCreatePagefilePrivilege	5832	powercfg.exe
Token: SeShutdownPrivilege	5856	powercfg.exe
Token: SeCreatePagefilePrivilege	5856	powercfg.exe
Token: SeShutdownPrivilege	5848	powercfg.exe
Token: SeCreatePagefilePrivilege	5848	powercfg.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

6da7ca91e1.exechrome.exe

pid	process
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
3744	6da7ca91e1.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
2708	chrome.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

6da7ca91e1.exechrome.exe

pid	process
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
3744	6da7ca91e1.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
2708	chrome.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe
3744	6da7ca91e1.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3312 Explorer.EXE

pid	process
3312	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exeexplortu.exed991ab00ad.exe6da7ca91e1.exechrome.exeaxplong.exelrthijawd.exe

description	pid	process	target process
PID 1068 wrote to memory of 2276	1068	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe	explortu.exe
PID 1068 wrote to memory of 2276	1068	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe	explortu.exe
PID 1068 wrote to memory of 2276	1068	445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe	explortu.exe
PID 2276 wrote to memory of 1920	2276	explortu.exe	explortu.exe
PID 2276 wrote to memory of 1920	2276	explortu.exe	explortu.exe
PID 2276 wrote to memory of 1920	2276	explortu.exe	explortu.exe
PID 2276 wrote to memory of 2104	2276	explortu.exe	d991ab00ad.exe
PID 2276 wrote to memory of 2104	2276	explortu.exe	d991ab00ad.exe
PID 2276 wrote to memory of 2104	2276	explortu.exe	d991ab00ad.exe
PID 2104 wrote to memory of 3268	2104	d991ab00ad.exe	axplong.exe
PID 2104 wrote to memory of 3268	2104	d991ab00ad.exe	axplong.exe
PID 2104 wrote to memory of 3268	2104	d991ab00ad.exe	axplong.exe
PID 2276 wrote to memory of 4132	2276	explortu.exe	0f1a3878cf.exe
PID 2276 wrote to memory of 4132	2276	explortu.exe	0f1a3878cf.exe
PID 2276 wrote to memory of 4132	2276	explortu.exe	0f1a3878cf.exe
PID 2276 wrote to memory of 3744	2276	explortu.exe	6da7ca91e1.exe
PID 2276 wrote to memory of 3744	2276	explortu.exe	6da7ca91e1.exe
PID 2276 wrote to memory of 3744	2276	explortu.exe	6da7ca91e1.exe
PID 3744 wrote to memory of 2708	3744	6da7ca91e1.exe	chrome.exe
PID 3744 wrote to memory of 2708	3744	6da7ca91e1.exe	chrome.exe
PID 2708 wrote to memory of 696	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 696	2708	chrome.exe	chrome.exe
PID 3268 wrote to memory of 1084	3268	axplong.exe	lrthijawd.exe
PID 3268 wrote to memory of 1084	3268	axplong.exe	lrthijawd.exe
PID 1084 wrote to memory of 2796	1084	lrthijawd.exe	cmd.exe
PID 1084 wrote to memory of 2796	1084	lrthijawd.exe	cmd.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 968	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 2608	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 2608	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 1712	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 1712	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 1712	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 1712	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 1712	2708	chrome.exe	chrome.exe
PID 2708 wrote to memory of 1712	2708	chrome.exe	chrome.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:460

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\ProgramData\orvbb\ssfqe.exe
  C:\ProgramData\orvbb\ssfqe.exe start2
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:6100
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1716
- C:\ProgramData\orvbb\ssfqe.exe
  C:\ProgramData\orvbb\ssfqe.exe start2
  2⤵
  - Executes dropped EXE
  PID:5732
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  2⤵
  PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1580
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2428

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2760

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3312
- C:\Users\Admin\AppData\Local\Temp\445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe
  "C:\Users\Admin\AppData\Local\Temp\445273fc3ce38a9fc2d1b1a2e9f9b43ddcbc6dedd813dba3d259984a8a706490.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      4⤵
      PID:1920
  - - C:\Users\Admin\1000011002\d991ab00ad.exe
      "C:\Users\Admin\1000011002\d991ab00ad.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Users\Admin\AppData\Local\Temp\1000012001\lrthijawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000012001\lrthijawd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
        7⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        
        work.exe -priverdD
        8⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
      - C:\Users\Admin\AppData\Local\Temp\1000014001\services64.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000014001\services64.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:5028
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:1784
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:3400
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:1780
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:3232
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:4460
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:2456
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WindowsAutHost"
        7⤵
        Launches sc.exe
        
        PID:3104
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:4684
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:1084
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WindowsAutHost"
        7⤵
        Launches sc.exe
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\1000012001\0f1a3878cf.exe
      "C:\Users\Admin\AppData\Local\Temp\1000012001\0f1a3878cf.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\1000013001\6da7ca91e1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000013001\6da7ca91e1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
        5⤵
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff14b4cc40,0x7fff14b4cc4c,0x7fff14b4cc58
        6⤵
        
        PID:696
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1908 /prefetch:2
        6⤵
        
        PID:968
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2088 /prefetch:3
        6⤵
        
        PID:2608
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2172 /prefetch:8
        6⤵
        
        PID:1712
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2940,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3148 /prefetch:1
        6⤵
        
        PID:776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3172 /prefetch:1
        6⤵
        
        PID:3456
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3528,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4396 /prefetch:1
        6⤵
        
        PID:3728
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4552,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3268 /prefetch:1
        6⤵
        
        PID:656
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4316,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4524 /prefetch:8
        6⤵
        
        PID:1252
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4288,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4692 /prefetch:8
        6⤵
        Modifies registry class
        
        PID:3408
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5008 /prefetch:8
        6⤵
        
        PID:704
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5052 /prefetch:8
        6⤵
        
        PID:4140
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5328,i,18179742256182648134,406661226846115275,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4820 /prefetch:8
        6⤵
        
        PID:5752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4060

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4400

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3684

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:3348

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:872

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1120
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:5252
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5576
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5584
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5656
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5944
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:5840
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5952
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5896
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5968
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5908
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion