amadey | 86b9d17c28f513e6610f028215365d251053d95326a6e2d4dc5d3d84d791887e

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1dd97d643c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1dd97d643c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1dd97d643c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1dd97d643c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1dd97d643c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1dd97d643c.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1368-246-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1368-243-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1368-241-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1368-248-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1368-247-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	643f7e502f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	96faa11ae9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1dd97d643c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	130b282dc6eb40ad9df048de58ac4e96.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	375ab19684.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eb781d624e.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	130b282dc6eb40ad9df048de58ac4e96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eb781d624e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1dd97d643c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	643f7e502f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1dd97d643c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	130b282dc6eb40ad9df048de58ac4e96.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	375ab19684.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	643f7e502f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	375ab19684.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eb781d624e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	96faa11ae9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	96faa11ae9.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe

Executes dropped EXE 25 IoCs

pid	Process
1244	axplong.exe
1084	gold.exe
2720	legas.exe
2204	xPW5QW1Nfy.exe
2260	h0mzouAcPy.exe
316	stealc_default2.exe
2428	375ab19684.exe
2360	eb781d624e.exe
2956	skotes.exe
1624	MK.exe
2840	Nework.exe
2064	Hkbsse.exe
2760	processclass.exe
3052	num.exe
2320	splwow64.exe
2472	JavUmar1.exe
2424	643f7e502f.exe
1196	96faa11ae9.exe
2448	stories.exe
576	is-AEU5E.tmp
1820	sdkplayer.exe
1752	context.exe
704	1dd97d643c.exe
2876	service123.exe
2868	service123.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	eb781d624e.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	643f7e502f.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	96faa11ae9.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	1dd97d643c.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	130b282dc6eb40ad9df048de58ac4e96.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	375ab19684.exe

Loads dropped DLL 47 IoCs

pid	Process
1600	130b282dc6eb40ad9df048de58ac4e96.exe
1244	axplong.exe
1244	axplong.exe
1244	axplong.exe
340	WerFault.exe
340	WerFault.exe
2928	MSBuild.exe
2928	MSBuild.exe
340	WerFault.exe
1244	axplong.exe
1244	axplong.exe
1244	axplong.exe
1244	axplong.exe
1244	axplong.exe
2360	eb781d624e.exe
1244	axplong.exe
1244	axplong.exe
2840	Nework.exe
1244	axplong.exe
316	stealc_default2.exe
316	stealc_default2.exe
2956	skotes.exe
2956	skotes.exe
1244	axplong.exe
2064	Hkbsse.exe
2064	Hkbsse.exe
2956	skotes.exe
2956	skotes.exe
2956	skotes.exe
2956	skotes.exe
2064	Hkbsse.exe
2448	stories.exe
576	is-AEU5E.tmp
576	is-AEU5E.tmp
576	is-AEU5E.tmp
576	is-AEU5E.tmp
2956	skotes.exe
2956	skotes.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
784	WerFault.exe
2472	JavUmar1.exe
2472	JavUmar1.exe
2876	service123.exe
2868	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	1dd97d643c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1dd97d643c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\375ab19684.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\375ab19684.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\eb781d624e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\eb781d624e.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\643f7e502f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349001\\643f7e502f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\96faa11ae9.exe = "C:\\Users\\Admin\\1000350002\\96faa11ae9.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
1600	130b282dc6eb40ad9df048de58ac4e96.exe
1244	axplong.exe
2428	375ab19684.exe
2360	eb781d624e.exe
2956	skotes.exe
2424	643f7e502f.exe
1196	96faa11ae9.exe
704	1dd97d643c.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2928	2720	legas.exe	35
PID 1624 set thread context of 1368	1624	MK.exe	47
PID 2320 set thread context of 856	2320	splwow64.exe	69

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	130b282dc6eb40ad9df048de58ac4e96.exe
File created	C:\Windows\Tasks\skotes.job	eb781d624e.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
340	2720	WerFault.exe	34
784	1752	WerFault.exe	65

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dd97d643c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavUmar1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	643f7e502f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-AEU5E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdkplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stories.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	130b282dc6eb40ad9df048de58ac4e96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb781d624e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	375ab19684.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96faa11ae9.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JavUmar1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JavUmar1.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
900	timeout.exe

Kills process with taskkill 1 IoCs

pid	Process
1588	taskkill.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	gold.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	gold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	643f7e502f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	643f7e502f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	gold.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gold.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gold.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gold.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	gold.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2676	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1752	context.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1600	130b282dc6eb40ad9df048de58ac4e96.exe
1244	axplong.exe
316	stealc_default2.exe
2428	375ab19684.exe
2360	eb781d624e.exe
2956	skotes.exe
2260	h0mzouAcPy.exe
2204	xPW5QW1Nfy.exe
316	stealc_default2.exe
1368	RegAsm.exe
1368	RegAsm.exe
1368	RegAsm.exe
2424	643f7e502f.exe
1196	96faa11ae9.exe
704	1dd97d643c.exe
704	1dd97d643c.exe
704	1dd97d643c.exe
2320	splwow64.exe
2320	splwow64.exe
1752	context.exe
1752	context.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	2260	h0mzouAcPy.exe
Token: SeBackupPrivilege	2204	xPW5QW1Nfy.exe
Token: SeSecurityPrivilege	2204	xPW5QW1Nfy.exe
Token: SeSecurityPrivilege	2260	h0mzouAcPy.exe
Token: SeSecurityPrivilege	2204	xPW5QW1Nfy.exe
Token: SeSecurityPrivilege	2204	xPW5QW1Nfy.exe
Token: SeSecurityPrivilege	2204	xPW5QW1Nfy.exe
Token: SeSecurityPrivilege	2260	h0mzouAcPy.exe
Token: SeSecurityPrivilege	2260	h0mzouAcPy.exe
Token: SeSecurityPrivilege	2260	h0mzouAcPy.exe
Token: SeDebugPrivilege	2204	xPW5QW1Nfy.exe
Token: SeDebugPrivilege	2260	h0mzouAcPy.exe
Token: SeDebugPrivilege	1368	RegAsm.exe
Token: SeDebugPrivilege	2760	processclass.exe
Token: SeDebugPrivilege	2320	splwow64.exe
Token: SeDebugPrivilege	704	1dd97d643c.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1752	context.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1600	130b282dc6eb40ad9df048de58ac4e96.exe
2360	eb781d624e.exe
2840	Nework.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1244	1600	130b282dc6eb40ad9df048de58ac4e96.exe	30
PID 1600 wrote to memory of 1244	1600	130b282dc6eb40ad9df048de58ac4e96.exe	30
PID 1600 wrote to memory of 1244	1600	130b282dc6eb40ad9df048de58ac4e96.exe	30
PID 1600 wrote to memory of 1244	1600	130b282dc6eb40ad9df048de58ac4e96.exe	30
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 1084	1244	axplong.exe	33
PID 1244 wrote to memory of 2720	1244	axplong.exe	34
PID 1244 wrote to memory of 2720	1244	axplong.exe	34
PID 1244 wrote to memory of 2720	1244	axplong.exe	34
PID 1244 wrote to memory of 2720	1244	axplong.exe	34
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 2928	2720	legas.exe	35
PID 2720 wrote to memory of 340	2720	legas.exe	36
PID 2720 wrote to memory of 340	2720	legas.exe	36
PID 2720 wrote to memory of 340	2720	legas.exe	36
PID 2720 wrote to memory of 340	2720	legas.exe	36
PID 2928 wrote to memory of 2204	2928	MSBuild.exe	37
PID 2928 wrote to memory of 2204	2928	MSBuild.exe	37
PID 2928 wrote to memory of 2204	2928	MSBuild.exe	37
PID 2928 wrote to memory of 2204	2928	MSBuild.exe	37
PID 2928 wrote to memory of 2260	2928	MSBuild.exe	38
PID 2928 wrote to memory of 2260	2928	MSBuild.exe	38
PID 2928 wrote to memory of 2260	2928	MSBuild.exe	38
PID 2928 wrote to memory of 2260	2928	MSBuild.exe	38
PID 1244 wrote to memory of 316	1244	axplong.exe	39
PID 1244 wrote to memory of 316	1244	axplong.exe	39
PID 1244 wrote to memory of 316	1244	axplong.exe	39
PID 1244 wrote to memory of 316	1244	axplong.exe	39
PID 1244 wrote to memory of 2428	1244	axplong.exe	40
PID 1244 wrote to memory of 2428	1244	axplong.exe	40
PID 1244 wrote to memory of 2428	1244	axplong.exe	40
PID 1244 wrote to memory of 2428	1244	axplong.exe	40
PID 1244 wrote to memory of 2360	1244	axplong.exe	42
PID 1244 wrote to memory of 2360	1244	axplong.exe	42
PID 1244 wrote to memory of 2360	1244	axplong.exe	42
PID 1244 wrote to memory of 2360	1244	axplong.exe	42
PID 2360 wrote to memory of 2956	2360	eb781d624e.exe	44
PID 2360 wrote to memory of 2956	2360	eb781d624e.exe	44
PID 2360 wrote to memory of 2956	2360	eb781d624e.exe	44
PID 2360 wrote to memory of 2956	2360	eb781d624e.exe	44
PID 1244 wrote to memory of 1624	1244	axplong.exe	45
PID 1244 wrote to memory of 1624	1244	axplong.exe	45
PID 1244 wrote to memory of 1624	1244	axplong.exe	45
PID 1244 wrote to memory of 1624	1244	axplong.exe	45
PID 1624 wrote to memory of 1368	1624	MK.exe	47
PID 1624 wrote to memory of 1368	1624	MK.exe	47
PID 1624 wrote to memory of 1368	1624	MK.exe	47
PID 1624 wrote to memory of 1368	1624	MK.exe	47
PID 1624 wrote to memory of 1368	1624	MK.exe	47
PID 1624 wrote to memory of 1368	1624	MK.exe	47

C:\Users\Admin\AppData\Local\Temp\130b282dc6eb40ad9df048de58ac4e96.exe
"C:\Users\Admin\AppData\Local\Temp\130b282dc6eb40ad9df048de58ac4e96.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:1084
- - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Roaming\xPW5QW1Nfy.exe
        
        "C:\Users\Admin\AppData\Roaming\xPW5QW1Nfy.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Users\Admin\AppData\Roaming\h0mzouAcPy.exe
        
        "C:\Users\Admin\AppData\Roaming\h0mzouAcPy.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 52
      4⤵
      Loads dropped DLL
      Program crash
      PID:340
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\1000354001\375ab19684.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\375ab19684.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\1000355001\eb781d624e.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\eb781d624e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\1000349001\643f7e502f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000349001\643f7e502f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
    - - C:\Users\Admin\1000350002\96faa11ae9.exe
        
        "C:\Users\Admin\1000350002\96faa11ae9.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\1000357001\1dd97d643c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000357001\1dd97d643c.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Windows security modification
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        
        PID:1776
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1368
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\JavUmar1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\JavUmar1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:2472
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2876
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\1000089001\stories.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000089001\stories.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2448
      - C:\Users\Admin\AppData\Local\Temp\is-VU452.tmp\is-AEU5E.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-VU452.tmp\is-AEU5E.tmp" /SL4 $B0184 "C:\Users\Admin\AppData\Local\Temp\1000089001\stories.exe" 4024913 52736
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Local\SDKPlayer\sdkplayer.exe
        
        "C:\Users\Admin\AppData\Local\SDKPlayer\sdkplayer.exe" -i
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1820
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 728
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:784
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:848
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:900

C:\Windows\system32\taskeng.exe
taskeng.exe {93FF95F6-181B-4718-982E-F9EB999AA70A} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\service123.exe
  C:\Users\Admin\AppData\Local\Temp\/service123.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion