amadey | bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729

Virtualization/Sandbox Evasion

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exedaf24031e8.exe2adfb08ec8.exe09a73c7a58.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	daf24031e8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2adfb08ec8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	09a73c7a58.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1204 powershell.exe
Downloads MZ/PE file

pid	process
1204	powershell.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Yddftopda\ImagePath = "C:\\Users\\Admin\\AppData\\Roaming\\Fbhost_alpha\\Newfts.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exedaf24031e8.exe09a73c7a58.exe2adfb08ec8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	daf24031e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	09a73c7a58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	daf24031e8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2adfb08ec8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2adfb08ec8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	09a73c7a58.exe

Executes dropped EXE 21 IoCs

Processes:

axplong.exestealc_default2.exe5hvzv2sl.exe5hvzv2sl.exeha7dur10.exeha7dur10.exedaf24031e8.exeAllNew.exeGxtuum.exeJavvvum.exestail.exestail.tmpscreenstudio32.exekxfh9qhs.exe2adfb08ec8.exeNewfts.exe09a73c7a58.exeNewfts.exetcpvcon.exe82f7967f.exegraph.exe

pid	process
2792	axplong.exe
2892	stealc_default2.exe
1736	5hvzv2sl.exe
1880	5hvzv2sl.exe
1532	ha7dur10.exe
1032	ha7dur10.exe
1548	daf24031e8.exe
2772	AllNew.exe
2952	Gxtuum.exe
1516	Javvvum.exe
872	stail.exe
2212	stail.tmp
600	screenstudio32.exe
1504	kxfh9qhs.exe
2660	2adfb08ec8.exe
2020	Newfts.exe
1420	09a73c7a58.exe
740	Newfts.exe
2180	tcpvcon.exe
2112	82f7967f.exe
1612	graph.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

2adfb08ec8.exe09a73c7a58.exebf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exedaf24031e8.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	2adfb08ec8.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	09a73c7a58.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	daf24031e8.exe

Loads dropped DLL 51 IoCs

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exe5hvzv2sl.exeWerFault.exestealc_default2.exeha7dur10.exeha7dur10.exeAllNew.exeGxtuum.exestail.exestail.tmpscreenstudio32.exeNewfts.exeNewfts.exeexplorer.exe82f7967f.exe

pid	process
2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
2792	axplong.exe
2792	axplong.exe
2792	axplong.exe
2792	axplong.exe
1736	5hvzv2sl.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe
2892	stealc_default2.exe
2892	stealc_default2.exe
2792	axplong.exe
1532	ha7dur10.exe
1032	ha7dur10.exe
2792	axplong.exe
2792	axplong.exe
2792	axplong.exe
2772	AllNew.exe
2952	Gxtuum.exe
2952	Gxtuum.exe
2952	Gxtuum.exe
872	stail.exe
2212	stail.tmp
2212	stail.tmp
2212	stail.tmp
2212	stail.tmp
600	screenstudio32.exe
2792	axplong.exe
2792	axplong.exe
2792	axplong.exe
1032	ha7dur10.exe
2020	Newfts.exe
2020	Newfts.exe
2792	axplong.exe
2792	axplong.exe
2020	Newfts.exe
740	Newfts.exe
740	Newfts.exe
740	Newfts.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2112	82f7967f.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	explorer.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

82f7967f.exeaxplong.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe"	82f7967f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\2adfb08ec8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1003379001\\2adfb08ec8.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\09a73c7a58.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1003380001\\09a73c7a58.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

75 drive.google.com
76 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

86 ipinfo.io
88 ipinfo.io

flow	ioc
75	drive.google.com
76	drive.google.com

flow	ioc
86	ipinfo.io
88	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exedaf24031e8.exe2adfb08ec8.exe09a73c7a58.exe

pid	process
2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
2792	axplong.exe
1548	daf24031e8.exe
2660	2adfb08ec8.exe
1420	09a73c7a58.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5hvzv2sl.exeNewfts.exe

description	pid	process	target process
PID 1736 set thread context of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 740 set thread context of 2180	740	Newfts.exe	tcpvcon.exe

Drops file in Program Files directory 6 IoCs

Processes:

82f7967f.exeexplorer.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	82f7967f.exe
File created	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	82f7967f.exe
File created	C:\Program Files\Windows Media Player\graph\graph.exe	82f7967f.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	82f7967f.exe
File opened for modification	C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	82f7967f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	explorer.exe

Drops file in Windows directory 3 IoCs

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeAllNew.exetcpvcon.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
File created	C:\Windows\Tasks\Gxtuum.job	AllNew.exe
File created	C:\Windows\Tasks\uninstallBeacon.job	tcpvcon.exe

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2964 1736 WerFault.exe 5hvzv2sl.exe

pid	pid_target	process	target process
2964	1736	WerFault.exe	5hvzv2sl.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

kxfh9qhs.exetcpvcon.exeha7dur10.exedaf24031e8.exeAllNew.exenet.exescreenstudio32.exe5hvzv2sl.exe09a73c7a58.exe2adfb08ec8.exeNewfts.exeexplorer.exebf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exestealc_default2.exe5hvzv2sl.exeha7dur10.exestail.exepowershell.exeNewfts.exeaxplong.exeGxtuum.exeJavvvum.exestail.tmpnet1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxfh9qhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpvcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ha7dur10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daf24031e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AllNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	screenstudio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5hvzv2sl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09a73c7a58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2adfb08ec8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5hvzv2sl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ha7dur10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javvvum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stail.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

explorer.exestealc_default2.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	explorer.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	explorer.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

82f7967f.exe5hvzv2sl.exedaf24031e8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	82f7967f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	82f7967f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	5hvzv2sl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5hvzv2sl.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	daf24031e8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A7740A9A34EE42A88D68834B263A8D4CC6BEDB3\Blob = 0f000000010000002000000013fdcb312756257a92b339fdf8f268e1e38bdf9ff18472155d3c94dee72ee1cb0300000001000000140000005a7740a9a34ee42a88d68834b263a8d4cc6bedb32000000001000000320200003082022e30820197a00302010202087de490591328c4d3300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232313131383136333631345a170d3236313131373136333631345a304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d003081890281810098174baa0e83a28f1d379d82d15bc5d43e9fc9afb5395b6954e671b5481474cee4e22e197789be684f73953c05961f214c8d71e08666947b2a5837ea6e2c80bc55133395b731163b55a040b48f23036d7d24734a3dcc374d3bc221454fa6e13d0cafc1cbdbf559f73a0c03a543e85154c268e9e183e28bede5a4a2821bf313b30203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181005b8a65e01d9a34494184079cbe77a087d64bcf4c7c5f64b59cd6b5d8a83ac1b4e8e4c5bb311ba7a9a38cf8e4f1e28be5d5e6b6ba5610b02b8f0c5b2aa8a642c59466462b57d239afc3bc0323724043024220b145f18d311c0b967ed04cd6d0bb47b39cee7de76d78a99cb5b127ad19b0152d4d37dfcef88360f84315ad513f82	82f7967f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A7740A9A34EE42A88D68834B263A8D4CC6BEDB3\Blob = 1400000001000000140000003aaf42ea2d205ad1f7615387c28781c3db8d78a10300000001000000140000005a7740a9a34ee42a88d68834b263a8d4cc6bedb30f000000010000002000000013fdcb312756257a92b339fdf8f268e1e38bdf9ff18472155d3c94dee72ee1cb2000000001000000320200003082022e30820197a00302010202087de490591328c4d3300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232313131383136333631345a170d3236313131373136333631345a304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d003081890281810098174baa0e83a28f1d379d82d15bc5d43e9fc9afb5395b6954e671b5481474cee4e22e197789be684f73953c05961f214c8d71e08666947b2a5837ea6e2c80bc55133395b731163b55a040b48f23036d7d24734a3dcc374d3bc221454fa6e13d0cafc1cbdbf559f73a0c03a543e85154c268e9e183e28bede5a4a2821bf313b30203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181005b8a65e01d9a34494184079cbe77a087d64bcf4c7c5f64b59cd6b5d8a83ac1b4e8e4c5bb311ba7a9a38cf8e4f1e28be5d5e6b6ba5610b02b8f0c5b2aa8a642c59466462b57d239afc3bc0323724043024220b145f18d311c0b967ed04cd6d0bb47b39cee7de76d78a99cb5b127ad19b0152d4d37dfcef88360f84315ad513f82	82f7967f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A7740A9A34EE42A88D68834B263A8D4CC6BEDB3\Blob = 1900000001000000100000006e7caa6fffe9be127133d550cec38c290f000000010000002000000013fdcb312756257a92b339fdf8f268e1e38bdf9ff18472155d3c94dee72ee1cb0300000001000000140000005a7740a9a34ee42a88d68834b263a8d4cc6bedb31400000001000000140000003aaf42ea2d205ad1f7615387c28781c3db8d78a12000000001000000320200003082022e30820197a00302010202087de490591328c4d3300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3232313131383136333631345a170d3236313131373136333631345a304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d003081890281810098174baa0e83a28f1d379d82d15bc5d43e9fc9afb5395b6954e671b5481474cee4e22e197789be684f73953c05961f214c8d71e08666947b2a5837ea6e2c80bc55133395b731163b55a040b48f23036d7d24734a3dcc374d3bc221454fa6e13d0cafc1cbdbf559f73a0c03a543e85154c268e9e183e28bede5a4a2821bf313b30203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038181005b8a65e01d9a34494184079cbe77a087d64bcf4c7c5f64b59cd6b5d8a83ac1b4e8e4c5bb311ba7a9a38cf8e4f1e28be5d5e6b6ba5610b02b8f0c5b2aa8a642c59466462b57d239afc3bc0323724043024220b145f18d311c0b967ed04cd6d0bb47b39cee7de76d78a99cb5b127ad19b0152d4d37dfcef88360f84315ad513f82	82f7967f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5hvzv2sl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	daf24031e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A7740A9A34EE42A88D68834B263A8D4CC6BEDB3	82f7967f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exestealc_default2.exedaf24031e8.exestail.tmpkxfh9qhs.exe2adfb08ec8.exe09a73c7a58.exeNewfts.exeNewfts.exetcpvcon.exeexplorer.exepowershell.exe82f7967f.exegraph.exe

pid	process
2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
2792	axplong.exe
2892	stealc_default2.exe
2892	stealc_default2.exe
1548	daf24031e8.exe
2212	stail.tmp
2212	stail.tmp
1504	kxfh9qhs.exe
1504	kxfh9qhs.exe
2660	2adfb08ec8.exe
1420	09a73c7a58.exe
2020	Newfts.exe
740	Newfts.exe
740	Newfts.exe
2180	tcpvcon.exe
2180	tcpvcon.exe
2180	tcpvcon.exe
2180	tcpvcon.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
1204	powershell.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2112	82f7967f.exe
2112	82f7967f.exe
2112	82f7967f.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
1612	graph.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
1612	graph.exe
1612	graph.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
1612	graph.exe
1612	graph.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
1612	graph.exe
1612	graph.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
1612	graph.exe
1612	graph.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Newfts.exetcpvcon.exe

pid process

740 Newfts.exe
2180 tcpvcon.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tcpvcon.exepowershell.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 2180 tcpvcon.exe
Token: SeDebugPrivilege 1204 powershell.exe
Token: SeDebugPrivilege 2872 explorer.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeAllNew.exestail.tmpexplorer.exe

pid process

2228 bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
2772 AllNew.exe
2212 stail.tmp
2872 explorer.exe

pid	process
740	Newfts.exe
2180	tcpvcon.exe

description	pid	process
Token: SeDebugPrivilege	2180	tcpvcon.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	2872	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exeaxplong.exe5hvzv2sl.exeha7dur10.exeAllNew.exeGxtuum.exe

description	pid	process	target process
PID 2228 wrote to memory of 2792	2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe	axplong.exe
PID 2228 wrote to memory of 2792	2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe	axplong.exe
PID 2228 wrote to memory of 2792	2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe	axplong.exe
PID 2228 wrote to memory of 2792	2228	bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe	axplong.exe
PID 2792 wrote to memory of 2892	2792	axplong.exe	stealc_default2.exe
PID 2792 wrote to memory of 2892	2792	axplong.exe	stealc_default2.exe
PID 2792 wrote to memory of 2892	2792	axplong.exe	stealc_default2.exe
PID 2792 wrote to memory of 2892	2792	axplong.exe	stealc_default2.exe
PID 2792 wrote to memory of 1736	2792	axplong.exe	5hvzv2sl.exe
PID 2792 wrote to memory of 1736	2792	axplong.exe	5hvzv2sl.exe
PID 2792 wrote to memory of 1736	2792	axplong.exe	5hvzv2sl.exe
PID 2792 wrote to memory of 1736	2792	axplong.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 1880	1736	5hvzv2sl.exe	5hvzv2sl.exe
PID 1736 wrote to memory of 2964	1736	5hvzv2sl.exe	WerFault.exe
PID 1736 wrote to memory of 2964	1736	5hvzv2sl.exe	WerFault.exe
PID 1736 wrote to memory of 2964	1736	5hvzv2sl.exe	WerFault.exe
PID 1736 wrote to memory of 2964	1736	5hvzv2sl.exe	WerFault.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 2792 wrote to memory of 1532	2792	axplong.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 1532 wrote to memory of 1032	1532	ha7dur10.exe	ha7dur10.exe
PID 2792 wrote to memory of 1548	2792	axplong.exe	daf24031e8.exe
PID 2792 wrote to memory of 1548	2792	axplong.exe	daf24031e8.exe
PID 2792 wrote to memory of 1548	2792	axplong.exe	daf24031e8.exe
PID 2792 wrote to memory of 1548	2792	axplong.exe	daf24031e8.exe
PID 2792 wrote to memory of 2772	2792	axplong.exe	AllNew.exe
PID 2792 wrote to memory of 2772	2792	axplong.exe	AllNew.exe
PID 2792 wrote to memory of 2772	2792	axplong.exe	AllNew.exe
PID 2792 wrote to memory of 2772	2792	axplong.exe	AllNew.exe
PID 2772 wrote to memory of 2952	2772	AllNew.exe	Gxtuum.exe
PID 2772 wrote to memory of 2952	2772	AllNew.exe	Gxtuum.exe
PID 2772 wrote to memory of 2952	2772	AllNew.exe	Gxtuum.exe
PID 2772 wrote to memory of 2952	2772	AllNew.exe	Gxtuum.exe
PID 2952 wrote to memory of 1516	2952	Gxtuum.exe	Javvvum.exe
PID 2952 wrote to memory of 1516	2952	Gxtuum.exe	Javvvum.exe
PID 2952 wrote to memory of 1516	2952	Gxtuum.exe	Javvvum.exe
PID 2952 wrote to memory of 1516	2952	Gxtuum.exe	Javvvum.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe
PID 2952 wrote to memory of 872	2952	Gxtuum.exe	stail.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe
"C:\Users\Admin\AppData\Local\Temp\bf9f951dd0f13b3a7749b2bae9beb07550abc9efb29a808154def7318a42f729.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe
    "C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe
      "C:\Users\Admin\AppData\Local\Temp\1001527001\5hvzv2sl.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 52
      4⤵
      Loads dropped DLL
      Program crash
      PID:2964
- - C:\Users\Admin\AppData\Local\Temp\1002552001\ha7dur10.exe
    "C:\Users\Admin\AppData\Local\Temp\1002552001\ha7dur10.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\Temp\{D5CD8788-21DD-44D0-8277-6DBBAEA82B58}\.cr\ha7dur10.exe
      "C:\Windows\Temp\{D5CD8788-21DD-44D0-8277-6DBBAEA82B58}\.cr\ha7dur10.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\1002552001\ha7dur10.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1032
    - - C:\Windows\Temp\{2426CACC-542B-44D7-8C91-5446D1AB9B12}\.ba\Newfts.exe
        
        "C:\Windows\Temp\{2426CACC-542B-44D7-8C91-5446D1AB9B12}\.ba\Newfts.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
      - C:\Users\Admin\AppData\Roaming\Fbhost_alpha\Newfts.exe
        
        C:\Users\Admin\AppData\Roaming\Fbhost_alpha\Newfts.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Fbhost_alpha\tcpvcon.exe
        
        "C:\Users\Admin\AppData\Roaming\Fbhost_alpha\tcpvcon.exe" "C:\Users\Admin\AppData\Roaming\Fbhost_alpha\tcpvcon.exe" /accepteula
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        Sets service image path in registry
        Loads dropped DLL
        Accesses Microsoft Outlook accounts
        Accesses Microsoft Outlook profiles
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        outlook_office_path
        outlook_win_path
        
        PID:2872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Fbhost_alpha\Newfts.exe
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\ProgramData\82f7967f.exe
        
        C:\ProgramData\82f7967f.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Program Files\Windows Media Player\graph\graph.exe
        
        "C:\Program Files\Windows Media Player\graph\graph.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
- - C:\Users\Admin\AppData\Local\Temp\1002824001\daf24031e8.exe
    "C:\Users\Admin\AppData\Local\Temp\1002824001\daf24031e8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe
    "C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\is-A2JJU.tmp\stail.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A2JJU.tmp\stail.tmp" /SL5="$C01BA,4564320,54272,C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2212
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause screenstudio_11173
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause screenstudio_11173
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Screen Studio 1.37\screenstudio32.exe
        
        "C:\Users\Admin\AppData\Local\Screen Studio 1.37\screenstudio32.exe" -i
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:600
- - C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe
    "C:\Users\Admin\AppData\Local\Temp\1003374001\kxfh9qhs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\1003379001\2adfb08ec8.exe
    "C:\Users\Admin\AppData\Local\Temp\1003379001\2adfb08ec8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\1003380001\09a73c7a58.exe
    "C:\Users\Admin\AppData\Local\Temp\1003380001\09a73c7a58.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion