amadey | 55dbaec41fa7cc4224753c8859a8b836ef079e9e2c7458d639e1fe30690779fa

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysmablsvr.exe

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233d1-17.dat	family_phorphiex
behavioral2/files/0x000900000002337a-512.dat	family_phorphiex
behavioral2/files/0x0007000000023507-531.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 428 created 3424	428	nxmr.exe	55
PID 428 created 3424	428	nxmr.exe	55
PID 2440 created 3424	2440	wupgrdsv.exe	55
PID 2440 created 3424	2440	wupgrdsv.exe	55
PID 5772 created 3416	5772	Dropper.exe	83

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svoutse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0f3ab47a90.exe

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral2/memory/2440-66-0x00007FF7A2A30000-0x00007FF7A2FA6000-memory.dmp	xmrig
behavioral2/memory/3268-73-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp	xmrig
behavioral2/memory/3268-115-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp	xmrig
behavioral2/memory/3268-349-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp	xmrig
behavioral2/memory/3268-494-0x00007FF64B320000-0x00007FF64BB0F000-memory.dmp	xmrig

Contacts a large (662) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0f3ab47a90.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svoutse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0f3ab47a90.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	svoutse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 22 IoCs

pid	Process
428	nxmr.exe
4296	m.exe
2788	t2.exe
2000	sysmablsvr.exe
2440	wupgrdsv.exe
4172	849821766.exe
2248	random.exe
4896	svoutse.exe
4772	0f3ab47a90.exe
820	e04acc355b.exe
5772	Dropper.exe
6256	t1.exe
7232	s.exe
7444	VBoxSVC.exe
7588	ZinTask.exe
7036	svoutse.exe
7776	tdrpload.exe
5356	pp.exe
6768	pi.exe
7960	pei.exe
4964	npp.exe
7580	11.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine	svoutse.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine	0f3ab47a90.exe
Key opened	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine	svoutse.exe

Loads dropped DLL 6 IoCs

pid	Process
7444	VBoxSVC.exe
7444	VBoxSVC.exe
7444	VBoxSVC.exe
7444	VBoxSVC.exe
7444	VBoxSVC.exe
7444	VBoxSVC.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysmablsvr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysmablsvr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe"	m.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3408	powershell.exe
4752	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
429	raw.githubusercontent.com
431	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00070000000233ff-121.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2248	random.exe
4896	svoutse.exe
4772	0f3ab47a90.exe
7036	svoutse.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 3268	2440	wupgrdsv.exe	110
PID 7444 set thread context of 7532	7444	VBoxSVC.exe	168

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\sysmablsvr.exe	m.exe
File opened for modification	C:\Windows\sysmablsvr.exe	m.exe
File created	C:\Windows\Tasks\svoutse.job	random.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7692	7588	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f3ab47a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZinTask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrpload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysmablsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	849821766.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svoutse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	t2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e04acc355b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Dropper.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Dropper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
428	nxmr.exe
428	nxmr.exe
3408	powershell.exe
3408	powershell.exe
428	nxmr.exe
428	nxmr.exe
2440	wupgrdsv.exe
2440	wupgrdsv.exe
4752	powershell.exe
4752	powershell.exe
2440	wupgrdsv.exe
2440	wupgrdsv.exe
2248	random.exe
2248	random.exe
4896	svoutse.exe
4896	svoutse.exe
4772	0f3ab47a90.exe
4772	0f3ab47a90.exe
5324	msedge.exe
5324	msedge.exe
1432	msedge.exe
1432	msedge.exe
5772	Dropper.exe
5772	Dropper.exe
348	identity_helper.exe
348	identity_helper.exe
5772	Dropper.exe
5772	Dropper.exe
7444	VBoxSVC.exe
7444	VBoxSVC.exe
7036	svoutse.exe
7036	svoutse.exe
7532	cmd.exe
7532	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
820	e04acc355b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
7444	VBoxSVC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	4363463463464363463463463.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe
Token: 33	3408	powershell.exe
Token: 34	3408	powershell.exe
Token: 35	3408	powershell.exe
Token: 36	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe
Token: 33	3408	powershell.exe
Token: 34	3408	powershell.exe
Token: 35	3408	powershell.exe
Token: 36	3408	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe
Token: 33	3408	powershell.exe
Token: 34	3408	powershell.exe
Token: 35	3408	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
1432	msedge.exe
1432	msedge.exe
3268	notepad.exe
820	e04acc355b.exe
1432	msedge.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
3268	notepad.exe
820	e04acc355b.exe
820	e04acc355b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 428	3416	4363463463464363463463463.exe	99
PID 3416 wrote to memory of 428	3416	4363463463464363463463463.exe	99
PID 3416 wrote to memory of 4296	3416	4363463463464363463463463.exe	100
PID 3416 wrote to memory of 4296	3416	4363463463464363463463463.exe	100
PID 3416 wrote to memory of 4296	3416	4363463463464363463463463.exe	100
PID 3416 wrote to memory of 2788	3416	4363463463464363463463463.exe	101
PID 3416 wrote to memory of 2788	3416	4363463463464363463463463.exe	101
PID 3416 wrote to memory of 2788	3416	4363463463464363463463463.exe	101
PID 4296 wrote to memory of 2000	4296	m.exe	102
PID 4296 wrote to memory of 2000	4296	m.exe	102
PID 4296 wrote to memory of 2000	4296	m.exe	102
PID 2440 wrote to memory of 3268	2440	wupgrdsv.exe	110
PID 2000 wrote to memory of 4172	2000	sysmablsvr.exe	111
PID 2000 wrote to memory of 4172	2000	sysmablsvr.exe	111
PID 2000 wrote to memory of 4172	2000	sysmablsvr.exe	111
PID 3416 wrote to memory of 2248	3416	4363463463464363463463463.exe	116
PID 3416 wrote to memory of 2248	3416	4363463463464363463463463.exe	116
PID 3416 wrote to memory of 2248	3416	4363463463464363463463463.exe	116
PID 2248 wrote to memory of 4896	2248	random.exe	117
PID 2248 wrote to memory of 4896	2248	random.exe	117
PID 2248 wrote to memory of 4896	2248	random.exe	117
PID 4896 wrote to memory of 4772	4896	svoutse.exe	118
PID 4896 wrote to memory of 4772	4896	svoutse.exe	118
PID 4896 wrote to memory of 4772	4896	svoutse.exe	118
PID 4896 wrote to memory of 820	4896	svoutse.exe	119
PID 4896 wrote to memory of 820	4896	svoutse.exe	119
PID 4896 wrote to memory of 820	4896	svoutse.exe	119
PID 820 wrote to memory of 1432	820	e04acc355b.exe	120
PID 820 wrote to memory of 1432	820	e04acc355b.exe	120
PID 1432 wrote to memory of 376	1432	msedge.exe	121
PID 1432 wrote to memory of 376	1432	msedge.exe	121
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122
PID 1432 wrote to memory of 5316	1432	msedge.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\sysmablsvr.exe
      C:\Windows\sysmablsvr.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\849821766.exe
        
        C:\Users\Admin\AppData\Local\Temp\849821766.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
- - C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
      "C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\1000013001\0f3ab47a90.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000013001\0f3ab47a90.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\1000015001\e04acc355b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000015001\e04acc355b.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
        6⤵
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data Kiosk" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8840846f8,0x7ff884084708,0x7ff884084718
        7⤵
        
        PID:376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        7⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5324
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
        7⤵
        
        PID:5332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        7⤵
        
        PID:5448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        7⤵
        
        PID:5456
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
        7⤵
        
        PID:5624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
        7⤵
        
        PID:5644
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
        7⤵
        
        PID:5816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        7⤵
        
        PID:5824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
        7⤵
        
        PID:5832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
        7⤵
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
        7⤵
        
        PID:6032
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
        7⤵
        
        PID:6040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
        7⤵
        
        PID:5356
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
        7⤵
        
        PID:5372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
        7⤵
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        7⤵
        
        PID:5348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
        7⤵
        
        PID:5464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
        7⤵
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
        7⤵
        
        PID:5924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
        7⤵
        
        PID:6168
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
        7⤵
        
        PID:6976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
        7⤵
        
        PID:6984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        7⤵
        
        PID:7164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
        7⤵
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
        7⤵
        
        PID:5864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        7⤵
        
        PID:5872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
        7⤵
        
        PID:5880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
        7⤵
        
        PID:5888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
        7⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
        7⤵
        
        PID:6048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --disable-databases --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
        7⤵
        
        PID:6056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:8
        7⤵
        
        PID:6376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,16688730495588090926,12020625824626590432,131072 --disable-features=TranslateUI --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
- - C:\Users\Admin\AppData\Local\Temp\Files\Dropper.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Dropper.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5772
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6256
- - C:\Users\Admin\AppData\Local\Temp\Files\s.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7232
- - C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe
    "C:\Users\Admin\AppData\Roaming\netprofm\VBoxSVC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:7444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:7532
- - C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ZinTask.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7588 -s 232
      4⤵
      Program crash
      PID:7692
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7776
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5356
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6768
- - C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7960
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\Files\11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3268

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7588 -ip 7588
1⤵
PID:7672

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion