neshta | e533e9171cd5be1442ac411b60af0e29bcef9ecd53cc27236aeb200ad18c7271

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~1.EXE

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~1.EXE

Checks computer location settings 2 TTPs 21 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	NL Brute 1.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_NL Brute 1.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_NL Brute 1.2.exe

Executes dropped EXE 35 IoCs

pid	Process
2000	._cache_NL Brute 1.2.exe
1360	._cache_NL Brute 1.2.exe
232	Synaptics.exe
4916	._cache_._cache_NL Brute 1.2.exe
3512	._cache_Synaptics.exe
4952	Synaptics.exe
928	svchost.com
5100	._cache_Synaptics.exe
4888	_CACHE~2.EXE
3784	svchost.com
2296	_CACHE~2.EXE
3212	._cache__CACHE~2.EXE
2924	._cache__CACHE~2.EXE
2640	svchost.com
5096	_CACHE~1.EXE
3528	svchost.com
952	_CACHE~1.EXE
5084	Synaptics.exe
3480	Synaptics.exe
4660	Synaptics.exe
5076	._cache__CACHE~1.EXE
5048	._cache__CACHE~1.EXE
1540	Synaptics.exe
1956	._cache_Synaptics.exe
4216	svchost.com
716	_CACHE~2.EXE
1320	._cache__CACHE~2.EXE
1736	svchost.com
4268	Synaptics.exe
4764	_CACHE~1.EXE
4004	._cache__CACHE~1.EXE
3388	Synaptics.exe
3896	._cache_Synaptics.exe
2492	svchost.com
2864	_CACHE~2.EXE

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	._cache__CACHE~1.EXE
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	._cache__CACHE~1.EXE
Key opened	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine	._cache__CACHE~1.EXE

Loads dropped DLL 16 IoCs

pid	Process
4952	Synaptics.exe
4952	Synaptics.exe
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
952	_CACHE~1.EXE
952	_CACHE~1.EXE
1540	Synaptics.exe
1540	Synaptics.exe
716	_CACHE~2.EXE
716	_CACHE~2.EXE
4268	Synaptics.exe
4268	Synaptics.exe
4764	_CACHE~1.EXE
4764	_CACHE~1.EXE
3388	Synaptics.exe
3388	Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_NL Brute 1.2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_NL Brute 1.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	NL Brute 1.2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5048	._cache__CACHE~1.EXE
5076	._cache__CACHE~1.EXE
4004	._cache__CACHE~1.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	._cache_NL Brute 1.2.exe

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_NL Brute 1.2.exe
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache_._cache_NL Brute 1.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_NL Brute 1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NL Brute 1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_NL Brute 1.2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2604	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
4888	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE
2296	_CACHE~2.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	4888	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2296	_CACHE~2.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5076	._cache__CACHE~1.EXE
5048	._cache__CACHE~1.EXE
5076	._cache__CACHE~1.EXE
5048	._cache__CACHE~1.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
5076	._cache__CACHE~1.EXE
5048	._cache__CACHE~1.EXE
5076	._cache__CACHE~1.EXE
5048	._cache__CACHE~1.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2604	EXCEL.EXE
2604	EXCEL.EXE
2604	EXCEL.EXE
2604	EXCEL.EXE
3996	EXCEL.EXE
3996	EXCEL.EXE
5048	._cache__CACHE~1.EXE
5076	._cache__CACHE~1.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
3480	EXCEL.EXE
3480	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2000	4672	NL Brute 1.2.exe	83
PID 4672 wrote to memory of 2000	4672	NL Brute 1.2.exe	83
PID 4672 wrote to memory of 2000	4672	NL Brute 1.2.exe	83
PID 2000 wrote to memory of 1360	2000	._cache_NL Brute 1.2.exe	84
PID 2000 wrote to memory of 1360	2000	._cache_NL Brute 1.2.exe	84
PID 2000 wrote to memory of 1360	2000	._cache_NL Brute 1.2.exe	84
PID 4672 wrote to memory of 232	4672	NL Brute 1.2.exe	85
PID 4672 wrote to memory of 232	4672	NL Brute 1.2.exe	85
PID 4672 wrote to memory of 232	4672	NL Brute 1.2.exe	85
PID 1360 wrote to memory of 4916	1360	._cache_NL Brute 1.2.exe	86
PID 1360 wrote to memory of 4916	1360	._cache_NL Brute 1.2.exe	86
PID 1360 wrote to memory of 4916	1360	._cache_NL Brute 1.2.exe	86
PID 232 wrote to memory of 3512	232	Synaptics.exe	87
PID 232 wrote to memory of 3512	232	Synaptics.exe	87
PID 232 wrote to memory of 3512	232	Synaptics.exe	87
PID 1360 wrote to memory of 4952	1360	._cache_NL Brute 1.2.exe	88
PID 1360 wrote to memory of 4952	1360	._cache_NL Brute 1.2.exe	88
PID 1360 wrote to memory of 4952	1360	._cache_NL Brute 1.2.exe	88
PID 3512 wrote to memory of 928	3512	._cache_Synaptics.exe	90
PID 3512 wrote to memory of 928	3512	._cache_Synaptics.exe	90
PID 3512 wrote to memory of 928	3512	._cache_Synaptics.exe	90
PID 4952 wrote to memory of 5100	4952	Synaptics.exe	93
PID 4952 wrote to memory of 5100	4952	Synaptics.exe	93
PID 4952 wrote to memory of 5100	4952	Synaptics.exe	93
PID 928 wrote to memory of 4888	928	svchost.com	91
PID 928 wrote to memory of 4888	928	svchost.com	91
PID 928 wrote to memory of 4888	928	svchost.com	91
PID 5100 wrote to memory of 3784	5100	._cache_Synaptics.exe	94
PID 5100 wrote to memory of 3784	5100	._cache_Synaptics.exe	94
PID 5100 wrote to memory of 3784	5100	._cache_Synaptics.exe	94
PID 3784 wrote to memory of 2296	3784	svchost.com	95
PID 3784 wrote to memory of 2296	3784	svchost.com	95
PID 3784 wrote to memory of 2296	3784	svchost.com	95
PID 4888 wrote to memory of 3212	4888	_CACHE~2.EXE	97
PID 4888 wrote to memory of 3212	4888	_CACHE~2.EXE	97
PID 4888 wrote to memory of 3212	4888	_CACHE~2.EXE	97
PID 2296 wrote to memory of 2924	2296	_CACHE~2.EXE	98
PID 2296 wrote to memory of 2924	2296	_CACHE~2.EXE	98
PID 2296 wrote to memory of 2924	2296	_CACHE~2.EXE	98
PID 3212 wrote to memory of 2640	3212	._cache__CACHE~2.EXE	128
PID 3212 wrote to memory of 2640	3212	._cache__CACHE~2.EXE	128
PID 3212 wrote to memory of 2640	3212	._cache__CACHE~2.EXE	128
PID 2640 wrote to memory of 5096	2640	svchost.com	101
PID 2640 wrote to memory of 5096	2640	svchost.com	101
PID 2640 wrote to memory of 5096	2640	svchost.com	101
PID 2924 wrote to memory of 3528	2924	._cache__CACHE~2.EXE	102
PID 2924 wrote to memory of 3528	2924	._cache__CACHE~2.EXE	102
PID 2924 wrote to memory of 3528	2924	._cache__CACHE~2.EXE	102
PID 3528 wrote to memory of 952	3528	svchost.com	103
PID 3528 wrote to memory of 952	3528	svchost.com	103
PID 3528 wrote to memory of 952	3528	svchost.com	103
PID 4888 wrote to memory of 3480	4888	_CACHE~2.EXE	125
PID 4888 wrote to memory of 3480	4888	_CACHE~2.EXE	125
PID 4888 wrote to memory of 3480	4888	_CACHE~2.EXE	125
PID 2296 wrote to memory of 4660	2296	_CACHE~2.EXE	106
PID 2296 wrote to memory of 4660	2296	_CACHE~2.EXE	106
PID 2296 wrote to memory of 4660	2296	_CACHE~2.EXE	106
PID 5096 wrote to memory of 5048	5096	_CACHE~1.EXE	109
PID 5096 wrote to memory of 5048	5096	_CACHE~1.EXE	109
PID 5096 wrote to memory of 5048	5096	_CACHE~1.EXE	109
PID 952 wrote to memory of 5076	952	_CACHE~1.EXE	108
PID 952 wrote to memory of 5076	952	_CACHE~1.EXE	108
PID 952 wrote to memory of 5076	952	_CACHE~1.EXE	108
PID 5096 wrote to memory of 1540	5096	_CACHE~1.EXE	111

C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4916
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        11⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        16⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4004
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        17⤵
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        18⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        19⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        20⤵
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        21⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        22⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        23⤵
        
        PID:2392
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        23⤵
        
        PID:4836
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        
        PID:1468
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        17⤵
        
        PID:2972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        18⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        19⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        20⤵
        
        PID:4056
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        
        PID:4488
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        
        PID:3528
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        18⤵
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        19⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        20⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        21⤵
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        22⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        23⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        24⤵
        
        PID:4644
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        
        PID:4576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        23⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        24⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        25⤵
        
        PID:3496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        26⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        27⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        28⤵
        
        PID:1716
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        
        PID:5084
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        
        PID:3480

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion